|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Recovery 2.5GB of deleted files
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John Fiore wrote:
> You might want to check out sleuthkit and autopsy
> (http://www.sleuthkit.org/). They work for most major
> filesystems, but I'm not sure how RAID thrown into the
> mix will affect things.
So far I've been pointed to:
- - The Coroner's Toolkit (TCT), I have much respect for Wietse
http://www.porcupine.org/forensics/tct.html
http://www.cert.org/security-improvement/implementations/i046.03.html
* .deb package
- - Sleuthkit and Autopsy
http://www.sleuthkit.org/sleuthkit/
http://www.sleuthkit.org/autopsy/
* .deb package
- - Foremost, by United States Air Force Office of Special
Investigations (shiver, however man foremost reports , "Because
Foremost could be used to obtain evidence for criminal prosecutions,
we take all bug reports very seriously.")
http://foremost.sourceforge.net/
* .deb package
- - SMART for Linux, which is $2000 for non-law enforcement, but AS A
LAST RESORT, I might ask the off-list recommender for help. ;)
http://www.asrdata.com/SMART/
> As others have mentioned, the ideal situation would be
> if you could image the drive with dd, and then perform
> a recovery on the image, but 400 Gigs is a big drive
> and it isn't cheap. I would think that the tools
> would work just fine on the drive itself, rather than
> a drive image, but you'd increase your chances of a
> successful recovery if you can at the very least run
> the OS from a different disk, so that you minimize any
> changes to the disk you're trying to recover.
1) I've thought about this. The data originally came OFF a 200 gig
drive that was maybe 75% full of which the missing files are only
2.5GB. This brings the non-empty-data to about 150GB of 400GB(lots of
music and some movies...)
2) The RAID is no more than a couple months old and therefor much of
it is probably still zeroed from it's initialization.
3) The partition in question is NOT '/' it's '/home/'. That works to
my advantage as well.
> I'm no expert on data recovery, but the more I think
> of it, the more optimistic I am that if you must do it
> this way, you should be ok working from the original
> drive (again, making sure that you're not actually
> mounting the thing and running the OS from it). Aside
> from the obvious fact that working from an image is
> preferable to working from the original in case
> something goes wrong, I believe one of the major
> reasons the forensics people prefer to work from an
> image, even when working read-only, is that they don't
> want to modify file access times, which are important
> when trying to piece together what might have happened
> after an attack, which isn't your concern. Maybe
> others on the list could shed more light on this. I'm
> not an expert.
And hence my delay in tackling this myself. I'd have been in over my
head and knee-deep^H^H^H^H^H^H^H^H^neck-deep in "OMG...OMG...OMG..."
had I started this last night when it happened. As they used to say
in the GOOD-OLD-DAYS (TM), "Patience is a virtue." [1]
> (On the other hand, none of us would know or think any
> less of you if you should happen to go to Best Buy or
> Staples, buy a large disk, and then return it in a few
> days.)
Come on. Who DOESN'T need more disk space? lol
[1] I'm not usually virtueous in the area of patience.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3
iQA/AwUBQ17LSOkD7QKn7f0vEQIIzwCfVXGJPp0C/25DWmkpllN+FJBOH5wAoIer
oEG2563sQXCy5w7eUfsuYRDV
=h1ZS
-----END PGP SIGNATURE-----
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|