# grep -a -B10 -A100 -i fibonacci /dev/hda2 > fabonacci.out
note:
a. searching string fibonacci in partition /dev/hda2, it was in a deleted file.
b. you need a few Mbytes free on the partition while running this command
-a treat device as a series of ASCII characters
-BN before N line
-AN after N line
-i not case-sensitive
Sunday, December 7, 2008
use Sleuth kit to recover deleted files
1. install Sleuth , just make will do
2. making sure /usr/local/sleuthkit/bin is in your path before running the following command
3. dd if=/dev/disk-or-partition bs=1024 of=nameofimagefile conv=noerror
Sleuth is great for recoving text files
a. use TSK's dls command to extract all of the unallocated space froom the disk image into a single file, which expedites the process of searching for the file that you've deleted.
# dls hd5_image_etc_files_deleted.img > dls_output.dls
b. use standard strings command to search for all text strings in the output file
# strings -t d dls_output.dls > dls_output.dls.str
c. use grep to search for a string that identifies the file you're looking for
grep ":0:0" dls_output.dls.str
131698688 root:x:0:0
.....
d. divide the above number by block size of file system (4096 for ext2/ext3 file system)
echo "131698688/4096" | bc
32153
e. dcalc -u 32153 hd5_image_etc_filess_deleted.img
f. dcat hd5_image_etc_files_deleted.img [> filename]
root:x:0.0...
bin:x:1:1
.....
....
g. another tools is Foremost (http://foremost.sf.net)
2. making sure /usr/local/sleuthkit/bin is in your path before running the following command
3. dd if=/dev/disk-or-partition bs=1024 of=nameofimagefile conv=noerror
Sleuth is great for recoving text files
a. use TSK's dls command to extract all of the unallocated space froom the disk image into a single file, which expedites the process of searching for the file that you've deleted.
# dls hd5_image_etc_files_deleted.img > dls_output.dls
b. use standard strings command to search for all text strings in the output file
# strings -t d dls_output.dls > dls_output.dls.str
c. use grep to search for a string that identifies the file you're looking for
grep ":0:0" dls_output.dls.str
131698688 root:x:0:0
.....
d. divide the above number by block size of file system (4096 for ext2/ext3 file system)
echo "131698688/4096" | bc
32153
e. dcalc -u 32153 hd5_image_etc_filess_deleted.img
f. dcat hd5_image_etc_files_deleted.img [> filename]
root:x:0.0...
bin:x:1:1
.....
....
g. another tools is Foremost (http://foremost.sf.net)
Subscribe to:
Posts (Atom)