1. install Sleuth , just make will do
2. making sure /usr/local/sleuthkit/bin is in your path before running the following command
3. dd if=/dev/disk-or-partition bs=1024 of=nameofimagefile conv=noerror
Sleuth is great for recoving text files
a. use TSK's dls command to extract all of the unallocated space froom the disk image into a single file, which expedites the process of searching for the file that you've deleted.
# dls hd5_image_etc_files_deleted.img > dls_output.dls
b. use standard strings command to search for all text strings in the output file
# strings -t d dls_output.dls > dls_output.dls.str
c. use grep to search for a string that identifies the file you're looking for
grep ":0:0" dls_output.dls.str
131698688 root:x:0:0
.....
d. divide the above number by block size of file system (4096 for ext2/ext3 file system)
echo "131698688/4096" | bc
32153
e. dcalc -u 32153 hd5_image_etc_filess_deleted.img
f. dcat hd5_image_etc_files_deleted.img [> filename]
root:x:0.0...
bin:x:1:1
.....
....
g. another tools is Foremost (http://foremost.sf.net)
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment