http://www.sleuthkit.org/ Sluethkit… is a collection of tools for forensic analysis of a system. Usually it’s something that would be done when you’ve had a suspected rootkit on the system and you boot to another operating system with sluethkit installed (maybe livecd/etc.) and want to try to analyze and hunt for traces of the rootkit. However you do have some similar procedures for forensic analysis that you would for the “I accidentally deleted a file” syndrome… For both situations you DON’T want to be running the live filesystem that’s affected.
This article…. http://www.ituprising.com/malawi/blog/jon/recovering_deleted_files_with_linux_and_sleuthkit describes using linux and sluethkit to recovered deleted files on windows or linux filesystems. First you should understand at a basic level how “deleting” a file works. If you think of the hard drive as a filing cabinet and each file is a “folder” with it’s label…. erasing a file through windows (putting it in the recycle bin) is the same as scribbling over the name of your manila folder with a note that says “you can throw this out”. It doesn’t actually delete the contents until you need the space for something else. It just sets aside the space as “no longer reserved”.
So, if you act quickly (power down the system and quit using it as soon as you realize you’ve deleted the file), you have a chance of recovering lost data files. (Truth be told, sometimes you can recover files deleted weeks in the past, it depends on how much “churn” there is on the disk. Your odds definitely decrease with time and usage of the system.)
Essentially the way this works to recover lost files is as follows…. take you’re disk that you accidentally lost data on, unplug from your system (power down first please.) Then, boot up another system with linux (either as a livecd/standalone operating system.) Then, image the hard drive with the “lost” data to a file on the other system. Once this is done power down and disconnect the original disk (with “lost” data.) (Don’t power it back up yet.) install sleuthkit and autopsy when you power up your linux system.
Then (as root) run autopsy and connect to it’s page with your web browser (http://localhost:9999/autopsy) start a new case and browse to the image file for the disk image… then choose the partition where your data should be. Next go to analyze -> file analysis…. you ought to be able to search and enter the filename, then follow through to “download” or save the file to disk (and by all means test that you can open.)
According to the tutorial they were able to recover a whole folder of files from a disk that “had been formatted and reinstalled with a new version of Windows XP.” Sounds like a pretty good data recovery option given the high price of many other data recovery services.
Oh… and here’s another reminder that if you’re getting rid of a hard drive, just erasing things…. doesn’t quite get the job done.
Related PostsRelated Posts
- Converting MPG video to dv files I don't know much about the dv format, except that it is a standard format that many camcorders use. For this reason, many video editors (such as kino for linux) prefer to see files coming in dv format. The problem I ran into is that the new handycam dvd puts......
- Kdirstat to track space hogs I'm putting this under the Windows tech support category because I've used this on a boot cd before to do the same for Windows as I'm about to describe for Linux. I need to clean up and organize my hard drive(s). But when it comes to actually deleting things you......
- Remote tech support with anything - would I do it? I've tried to ask myself if I'd trust someone enough to let them run a remote session on my own desktop to solve a problem. I think the answer is "it depends". If you think about it, I do tech support for home users quite a bit and they let......
- Rebit Inc. Try Rebit 5 Backup Software - Free for 30 DaysRebit Inc. is a software company committed to delivering fully-automatic and complete PC backup and recovery, removing the burden of managing backup from users. Rebit was named a 2009 and 2010 CRN Emerging Vendor by Computer Reseller News, and Rebit......
- The Nickname Cache in Outlook - Get to Know your .NK2 file Have you ever wondered where Outlook stores data it uses to auto-complete email addresses when you are typing in the To or Cc field? Microsoft stores this data in a file with the extension .NK2. The file is stored in each user's profile in drive:\Documents and Settings\user name\Application Data\Microsoft\Outlook. Note......
- Proof You can only Push High Net Worth and High Income Individuals So Far! One of my favorite sites, The Tax Foundation, had a phenomenal couple posts about Marylandâ€™s so-called Millionaire Tax.Â The two main posts are, Marylandâ€™s Millionaires Missing After Tax Hike and Marylandâ€™s Lawmaker Proposes making Millionairesâ€™ Tax Permanent.Â Maryland, like many other States out there are hurting for cash, so......
- Drive images – filling free space with zeros
- How to Recover deleted items from Outlook .pst file
- Kdirstat to track space hogs
- Virtual Machine of a real hard drive
- Data Recovery | Hard Drive Failure Monitoring | Data Recovery and Rescue Tools