[Discuss] Disk recovery utilities - dealing with deleted files

Scott Ehrlich srehrlich at gmail.com
Mon Feb 4 13:42:44 EST 2013


On Mon, Feb 4, 2013 at 1:00 PM, Rich Braun <richb at pioneer.ci.net> wrote:
> Scott Ehrlich <srehrlich at gmail.com> suggested:
>> Try FTK Imager Lite.
>> Also look into TSK (The Sleuth Kit) / Autopsy (web frontend for TSK).
>
> Thanks!  I'll try those; the former seems to be a Windows-based tool but the
> TSK looks like it might work.  One issue that I'm running into is that
> virtually none of the obvious tools have been updated to handle ext4.  Just
> now I found a research paper that concisely gives enough detailed info to
> /write/ a recovery tool (but doesn't talk about /existing/ tools):
>
> http://www.dfrws.org/2012/proceedings/DFRWS2012-13.pdf
>
> What I think is happening with extundelete is that it's making assumptions
> about the journal which might have been valid for ext3, but which are totally
> incorrect for the ext4 journal.
>
>> Was this a RAID or a single disk?
>
> It's a 1TB logical volume on a 4TB lvm2 volume group on top of RAID. So I am
> able to sequester it and perform forensics on the unmounted volume.  I
> discovered my mistake after coming home from a Super Bowl party so I know that
> the only thing which happened to it before I took it offline was my rsync cron
> job.
>
> -rich
>
>
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss

Some other leads:

http://www.forensicfocus.com/Forums/viewtopic/t=2803/

http://tech.groups.yahoo.com/group/linux_forensics/message/3648
(note, for bulk extractor, the year is obviously wrong).

As an aside, Linux_Forensics is an excellent list, minus the mess-ups
yahoo has done to their list server.   Also, Simson Garfinkel and
Brian Carrier are two of the most foremost experts on digital
forensics you'll find anywhere.

Scott

Scott



More information about the Discuss mailing list