 |
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
|
Home
| Calendar
| Mail Lists
| List Archives
| Desktop SIG
| Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU |
On Mon, Feb 4, 2013 at 1:00 PM, Rich Braun <richb at pioneer.ci.net> wrote: > Scott Ehrlich <srehrlich at gmail.com> suggested: >> Try FTK Imager Lite. >> Also look into TSK (The Sleuth Kit) / Autopsy (web frontend for TSK). > > Thanks! I'll try those; the former seems to be a Windows-based tool but the > TSK looks like it might work. One issue that I'm running into is that > virtually none of the obvious tools have been updated to handle ext4. Just > now I found a research paper that concisely gives enough detailed info to > /write/ a recovery tool (but doesn't talk about /existing/ tools): > > http://www.dfrws.org/2012/proceedings/DFRWS2012-13.pdf > > What I think is happening with extundelete is that it's making assumptions > about the journal which might have been valid for ext3, but which are totally > incorrect for the ext4 journal. > >> Was this a RAID or a single disk? > > It's a 1TB logical volume on a 4TB lvm2 volume group on top of RAID. So I am > able to sequester it and perform forensics on the unmounted volume. I > discovered my mistake after coming home from a Super Bowl party so I know that > the only thing which happened to it before I took it offline was my rsync cron > job. > > -rich > > > _______________________________________________ > Discuss mailing list > Discuss at blu.org > http://lists.blu.org/mailman/listinfo/discuss Also check out http://www.forensicswiki.org/wiki/Linux Scott
 |
|
| BLU is a member of BostonUserGroups | |
| We also thank MIT for the use of their facilities. | |
