Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Linux Links | Bling | About BLU |
Scott Ehrlich <srehrlich at gmail.com> suggested: > Try FTK Imager Lite. > Also look into TSK (The Sleuth Kit) / Autopsy (web frontend for TSK). Thanks! I'll try those; the former seems to be a Windows-based tool but the TSK looks like it might work. One issue that I'm running into is that virtually none of the obvious tools have been updated to handle ext4. Just now I found a research paper that concisely gives enough detailed info to /write/ a recovery tool (but doesn't talk about /existing/ tools): http://www.dfrws.org/2012/proceedings/DFRWS2012-13.pdf What I think is happening with extundelete is that it's making assumptions about the journal which might have been valid for ext3, but which are totally incorrect for the ext4 journal. > Was this a RAID or a single disk? It's a 1TB logical volume on a 4TB lvm2 volume group on top of RAID. So I am able to sequester it and perform forensics on the unmounted volume. I discovered my mistake after coming home from a Super Bowl party so I know that the only thing which happened to it before I took it offline was my rsync cron job. -rich
BLU is a member of BostonUserGroups | |
We also thank MIT for the use of their facilities. |