Sleuthkit – windows and linux file recovery



http://www.sleuthkit.org/ Sluethkit… is a collection of tools for forensic analysis of a system. Usually it’s something that would be done when you’ve had a suspected rootkit on the system and you boot to another operating system with sluethkit installed (maybe livecd/etc.) and want to try to analyze and hunt for traces of the rootkit. However you do have some similar procedures for forensic analysis that you would for the “I accidentally deleted a file” syndrome… For both situations you DON’T want to be running the live filesystem that’s affected.


This article…. http://www.ituprising.com/malawi/blog/jon/recovering_deleted_files_with_linux_and_sleuthkit describes using linux and sluethkit to recovered deleted files on windows or linux filesystems. First you should understand at a basic level how “deleting” a file works. If you think of the hard drive as a filing cabinet and each file is a “folder” with it’s label…. erasing a file through windows (putting it in the recycle bin) is the same as scribbling over the name of your manila folder with a note that says “you can throw this out”. It doesn’t actually delete the contents until you need the space for something else. It just sets aside the space as “no longer reserved”.

So, if you act quickly (power down the system and quit using it as soon as you realize you’ve deleted the file), you have a chance of recovering lost data files. (Truth be told, sometimes you can recover files deleted weeks in the past, it depends on how much “churn” there is on the disk. Your odds definitely decrease with time and usage of the system.)

Essentially the way this works to recover lost files is as follows…. take you’re disk that you accidentally lost data on, unplug from your system (power down first please.) Then, boot up another system with linux (either as a livecd/standalone operating system.) Then, image the hard drive with the “lost” data to a file on the other system. Once this is done power down and disconnect the original disk (with “lost” data.) (Don’t power it back up yet.) install sleuthkit and autopsy when you power up your linux system.

Then (as root) run autopsy and connect to it’s page with your web browser (http://localhost:9999/autopsy) start a new case and browse to the image file for the disk image… then choose the partition where your data should be. Next go to analyze -> file analysis…. you ought to be able to search and enter the filename, then follow through to “download” or save the file to disk (and by all means test that you can open.)

According to the tutorial they were able to recover a whole folder of files from a disk that “had been formatted and reinstalled with a new version of Windows XP.” Sounds like a pretty good data recovery option given the high price of many other data recovery services.

Oh… and here’s another reminder that if you’re getting rid of a hard drive, just erasing things…. doesn’t quite get the job done.

   Send article as PDF   

Similar Posts