[Discuss] Disk recovery utilities - dealing with deleted files

Rich Braun richb at pioneer.ci.net
Mon Feb 4 13:00:15 EST 2013


Scott Ehrlich <srehrlich at gmail.com> suggested:
> Try FTK Imager Lite.
> Also look into TSK (The Sleuth Kit) / Autopsy (web frontend for TSK).

Thanks!  I'll try those; the former seems to be a Windows-based tool but the
TSK looks like it might work.  One issue that I'm running into is that
virtually none of the obvious tools have been updated to handle ext4.  Just
now I found a research paper that concisely gives enough detailed info to
/write/ a recovery tool (but doesn't talk about /existing/ tools):

http://www.dfrws.org/2012/proceedings/DFRWS2012-13.pdf

What I think is happening with extundelete is that it's making assumptions
about the journal which might have been valid for ext3, but which are totally
incorrect for the ext4 journal.

> Was this a RAID or a single disk?

It's a 1TB logical volume on a 4TB lvm2 volume group on top of RAID. So I am
able to sequester it and perform forensics on the unmounted volume.  I
discovered my mistake after coming home from a Super Bowl party so I know that
the only thing which happened to it before I took it offline was my rsync cron
job.

-rich





More information about the Discuss mailing list