Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Disk recovery utilities - dealing with deleted files



Scott Ehrlich <srehrlich at gmail.com> suggested:
> Try FTK Imager Lite.
> Also look into TSK (The Sleuth Kit) / Autopsy (web frontend for TSK).

Thanks!  I'll try those; the former seems to be a Windows-based tool but the
TSK looks like it might work.  One issue that I'm running into is that
virtually none of the obvious tools have been updated to handle ext4.  Just
now I found a research paper that concisely gives enough detailed info to
/write/ a recovery tool (but doesn't talk about /existing/ tools):

http://www.dfrws.org/2012/proceedings/DFRWS2012-13.pdf

What I think is happening with extundelete is that it's making assumptions
about the journal which might have been valid for ext3, but which are totally
incorrect for the ext4 journal.

> Was this a RAID or a single disk?

It's a 1TB logical volume on a 4TB lvm2 volume group on top of RAID. So I am
able to sequester it and perform forensics on the unmounted volume.  I
discovered my mistake after coming home from a Super Bowl party so I know that
the only thing which happened to it before I took it offline was my rsync cron
job.

-rich





BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org