| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.50.0509122033300.26701-100000@kegger.national-security.net> Date: Tue Sep 13 05:05:28 2005 From: fd at ew.nsci.us (fd@...nsci.us) Subject: Forensic help? We generally categorize files with something like find /mnt/repair | while read f; do F=`file $f | cut -f2- -d:` mkdir "/tmp/r/$F" ln -sv "$f" "/tmp/r/$F" done It will nicely sort your files into directories by file-type (ignore errors). Its not the best, but certainly a good start. Also note that if somewhere in /mnt/repair two files with the same type have the same name, you will have a name collision. Hopefully your preliminary restore software gave unique names to the files. Without additional knowledge of /what/ you are looking for, I'm not sure what to suggest. If the dentry system is indeed completely(!?) gone, then I would give up on finding names and start looking for content. If its really important, the name can be changed ;) -Eric == Eric Wheeler Vice President National Security Concepts, Inc. PO Box 3567 Tualatin, OR 97062 http://www.nsci.us/ Voice: (503) 293-7656 Fax: (503) 885-0770 At least then you end up with directories like On Mon, 12 Sep 2005, Ragone_Andrew wrote: > > > > I recently destroyed my file structure due to mistakenly writing a > > partition table to the wrong hard disk drive on my machine while > > installing an experimental version of OS X. The saving factor is that > > the partition that may have formatted was only 20GB out of 200GB and > > the rest was unallocated free space. I have installed a temporary > > instance of WinXP to use data recovery software and recover the > > majority of files from the drive (it is installed on the non-corrupted > > drive). I ran a scan with R-Studio's awesome NTFS recovery tool and can > > only find some of my recognized files here and there with system files > > in between. The folders are present as something such as > > $$$Folder1546$$ but there is absolutly no file system structure > > present. (some is on different "found" under different cluster settings, > > etc. using the IntelligiScan). Is there a way to reconstruct the file system > > with another > > utility using a data forensics linux livecd or other utility? I REALLY > > need to get this data recovered and would like to learn how on my own > > as first resort. > > I have used iRecover which restructed the file system almost perfectly > > but it freezes during the recover (or seems to hang). Are there any other > > choices out there? It seems none of the data was truely formatted ... > > -Andrew > > > > > > On 9/12/05, Red Leg <redleg18@...il.com> wrote: > > > > > > On 9/11/05 8:21 PM, "Paul Schmehl" <pauls@...allas.edu > wrote: > > > > > > > > > > Download the knoppix std distro and burn it to a cd. Use dcfldd for > > > drive > > > > imaging and the forensics tools for recovery of erased files and the > > > like. > > > > > > > > > > Paul. > > > > > > Does dcfldd allow me to mirror the disk in such a manner as to include > > > deleted files? I can not swap drives. I need to obtain an image with > > > which I > > > can "undelete" files that were conventionally erased. > > > > > > Will dcfldd provide such an image? > > > > > > > > > Thanks! > > > > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > > > > > > -- > > ___________________ > > -Andrew Ragone > > BCA ATCS 2006 > > [ Project Moonwell ] > > Kc2LTO > > http://kc2lto.com > > > > > > --
Powered by blists - more mailing lists