[Discuss] Disk recovery utilities - dealing with deleted files
Scott Ehrlich
srehrlich at gmail.com
Mon Feb 4 13:03:39 EST 2013
On Mon, Feb 4, 2013 at 1:00 PM, Rich Braun <richb at pioneer.ci.net> wrote:
> Scott Ehrlich <srehrlich at gmail.com> suggested:
>> Try FTK Imager Lite.
>> Also look into TSK (The Sleuth Kit) / Autopsy (web frontend for TSK).
>
> Thanks! I'll try those; the former seems to be a Windows-based tool but the
> TSK looks like it might work. One issue that I'm running into is that
> virtually none of the obvious tools have been updated to handle ext4. Just
> now I found a research paper that concisely gives enough detailed info to
> /write/ a recovery tool (but doesn't talk about /existing/ tools):
>
> http://www.dfrws.org/2012/proceedings/DFRWS2012-13.pdf
>
> What I think is happening with extundelete is that it's making assumptions
> about the journal which might have been valid for ext3, but which are totally
> incorrect for the ext4 journal.
>
>> Was this a RAID or a single disk?
>
> It's a 1TB logical volume on a 4TB lvm2 volume group on top of RAID. So I am
> able to sequester it and perform forensics on the unmounted volume. I
> discovered my mistake after coming home from a Super Bowl party so I know that
> the only thing which happened to it before I took it offline was my rsync cron
> job.
>
> -rich
>
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
Also check out http://www.forensicswiki.org/wiki/Linux
Scott
More information about the Discuss
mailing list