Sunday, December 7, 2008

looking for the missing data in partition

# grep -a -B10 -A100 -i fibonacci /dev/hda2 > fabonacci.out
note:
a. searching string fibonacci in partition /dev/hda2, it was in a deleted file.
b. you need a few Mbytes free on the partition while running this command

-a treat device as a series of ASCII characters
-BN before N line
-AN after N line
-i not case-sensitive

use Sleuth kit to recover deleted files

1. install Sleuth , just make will do
2. making sure /usr/local/sleuthkit/bin is in your path before running the following command
3. dd if=/dev/disk-or-partition bs=1024 of=nameofimagefile conv=noerror

Sleuth is great for recoving text files

a. use TSK's dls command to extract all of the unallocated space froom the disk image into a single file, which expedites the process of searching for the file that you've deleted.

# dls hd5_image_etc_files_deleted.img > dls_output.dls

b. use standard strings command to search for all text strings in the output file
# strings -t d dls_output.dls > dls_output.dls.str

c. use grep to search for a string that identifies the file you're looking for
grep ":0:0" dls_output.dls.str
131698688 root:x:0:0
.....

d. divide the above number by block size of file system (4096 for ext2/ext3 file system)
echo "131698688/4096" | bc
32153

e. dcalc -u 32153 hd5_image_etc_filess_deleted.img

f. dcat hd5_image_etc_files_deleted.img [> filename]
root:x:0.0...
bin:x:1:1
.....

....

g. another tools is Foremost (http://foremost.sf.net)