hi, just wondering if there is a way to recover the deleted files & folders on the ext3 filesystem which has Linux Redhat(OS).Accidentally i deleted a...
1613
Jeff Bryner
jbryner1
Jul 11, 2005 9:47 pm
If you know the inodes, you can use icat from the sleuthkit: icat -f linux-ext3 /dev/hdaX yourinodehere > file where X is your partition number... If you...
1614
manjukingdom
Jul 12, 2005 12:38 am
hi Jeff, i tried to get the inodes using the debugfs ,but this just works for ext2 not ext3.is there a way i can get the inodes?? waiting to hear from you. ...
1615
Brian Carrier
bdcarrier
Jul 13, 2005 4:37 am
You may be able to recover the files using the Ext3 journal (if you can find an older copy of the inode). Debugfs lets you search for them. Otherwise you will...
1616
manjukingdom
Jul 13, 2005 3:59 pm
hi Brian, how to look for an older copy of the inode???can u send me the syntax... thanks for ur response. ... using the...
1617
Gary Funck
garyfunck
Jul 14, 2005 1:29 am
Since ext2 is simply ext3 with a journal, would things work better if you reverted the file system to ext2? ...
1618
Gary Funck
garyfunck
Jul 14, 2005 1:40 am
I'm trying to recover data from a failing laptop drive. I've run badblocks on it, and looked at its SMART data and it seems to have a bunch of unrecoverable...
1619
Jesse Kornblum
jessekornblum
Jul 14, 2005 1:42 am
... Yes. -- Jesse...
1620
digital.ware@...
paranoid2pen...
Jul 14, 2005 1:43 am
So this is a transfer orf data from one drive to another? Tom ... From: Gary Funck To: Linux_Forensics@Yahoogroups. Com Sent: Wednesday, July 13, 2005 6:38 PM ...
1621
Gary Funck
garyfunck
Jul 14, 2005 2:29 am
... Yes. In my example, I used partitions. But in fact I'm copying from an old error prone drive to a new drive of same make/model. My hope is to run chkdisk...
1622
digital.ware@...
paranoid2pen...
Jul 14, 2005 3:36 am
Have you looked at this products: http://www.paraben-forensics.com/ by Paraben? Tom ... From: digital.ware@... To: linux_forensics@yahoogroups.com ...
1623
Brian Carrier
bdcarrier
Jul 14, 2005 4:42 am
... You need to know the inode and you can use debugfs. For example, if the inode were 415,926 then you could use: debugfs: logdump -i <415926> This won't...
1624
Thomas Müting
onetom4u
Jul 14, 2005 6:12 am
Did you try ddrescue? The benefit is to be able to increase the read trials on error and to define a fallback blocksize. On a read error the program will retry...
1625
Gary Funck
garyfunck
Jul 14, 2005 6:36 am
... Tom, thanks. I'd forgotten about ddrescue. You're right - it would be a better tool than regular 'dd'....
1626
Atila Romero
atilaromero
Jul 14, 2005 1:57 pm
conv=noerror the output block is filled with the bytes read before the error + zeros from the error position until the end of the block conv=noerror,sync the...
1627
Steve Fowler
sfowler@...
Jul 14, 2005 5:37 pm
It's not uncommon that one too many read-retrys of bad blocks can increase the number of bad blocks in that physical area of the drive media. What then is the...
1628
Stevens R. Miller
bobhey2000
Jul 14, 2005 5:49 pm
That's a problem for the lawyers, but I would try to educate them as to what a "block" was, and see if they can be comfortable auththenticating individual...
1629
Dave Dittrich
dadittrich
Jul 14, 2005 5:54 pm
... You just have to be flexible in how you use integrity checking. Rather than use a hash of the complete partition (which will rarely be the same if one or...
1630
Joe Corrigan
WestsideCleve
Jul 14, 2005 6:03 pm
got a question. I've got two images of one disk one taken in reverse and one taken normally. what is the easiest way to cut together the two image files to...
1631
Joe Corrigan
WestsideCleve
Jul 14, 2005 6:18 pm
of course five min after i hit send, i figure out the answer to my own question... d'oh! ... From: Joe Corrigan [mailto:joec@...] Sent: Thursday, July 14,...
1632
Luis Salazar
Luis.Salazar@...
Jul 14, 2005 6:23 pm
I believe the command your looking for is the following: cat (filename)(AAAAA) (filename)(000000BBBBB) > (newfilename)(AAAAABBBBB) This will effectivly merge...
1633
Barry J. Grundy
grundy_b
Jul 14, 2005 6:25 pm
... C'mon Joe...share what you did. -- /*************************************** Special Agent Barry J. Grundy NASA Office of Inspector General Computer Crimes...
1634
Dave Dittrich
dadittrich
Jul 14, 2005 6:27 pm
Hint: skip= bs= count= (btw, cat won't work to overlay files, only conCATenate them. ;) ... -- Dave Dittrich Information Assurance...
1635
Barry J. Grundy
grundy_b
Jul 14, 2005 6:31 pm
... I would have done: dd if=image_b bs=512 skip=XXX | cat Image_A - >> New_Image I just wanted to see what Joe did as well...No need for a count if all the...
1636
Joe Corrigan
WestsideCleve
Jul 14, 2005 6:32 pm
i used dd to get the tail off of image b (the 000000BBBBBB file) like so dd if=imageb of=image_tail bs=512 skip=<# of sectors imageA caught> cat image_tail >>...
1637
Barry J. Grundy
grundy_b
Jul 14, 2005 6:42 pm
... dd the end of the second image such that it contains the data you want appended to the first image, then cat them together. This might be fun to try: dd...
1638
Gary Funck
garyfunck
Jul 14, 2005 7:53 pm
... Since A comes first, that likely needs to read: dd if=image_B bs=512 skip=XXX | cat image_A - > image_A_B...
1639
ASR Data
asrdata
Jul 15, 2005 11:39 pm
When I have encountered these types of issues, I characterize my image as "a true and accurate copy of the data that could be reliably read from the original"....
1640
ASR Data
asrdata
Jul 15, 2005 11:46 pm
you can use a variety of methods, including dd with skip and seek and cat the segments back together. [Disclaimer: I have a vested interest in SMART] SMART...
1641
IanC
devorg
Jul 16, 2005 1:08 am
Within encase there a report script that can extract user details on an XP system. I think it's the version 2 initialize case script. This shows the user names...
