http://www.sleuthkit.org/ Sluethkit… is a collection of tools for forensic analysis of a system. Usually it’s something that would be done when you’ve had a suspected rootkit on the system and you boot to another operating system with sluethkit installed (maybe livecd/etc.) and want to try to analyze and hunt for traces of the rootkit. However you do have some similar procedures for forensic analysis that you would for the “I accidentally deleted a file” syndrome… For both situations you DON’T want to be running the live filesystem that’s affected.
This article…. http://www.ituprising.com/malawi/blog/jon/recovering_deleted_files_with_linux_and_sleuthkit describes using linux and sluethkit to recovered deleted files on windows or linux filesystems. First you should understand at a basic level how “deleting” a file works. If you think of the hard drive as a filing cabinet and each file is a “folder” with it’s label…. erasing a file through windows (putting it in the recycle bin) is the same as scribbling over the name of your manila folder with a note that says “you can throw this out”. It doesn’t actually delete the contents until you need the space for something else. It just sets aside the space as “no longer reserved”.
So, if you act quickly (power down the system and quit using it as soon as you realize you’ve deleted the file), you have a chance of recovering lost data files. (Truth be told, sometimes you can recover files deleted weeks in the past, it depends on how much “churn” there is on the disk. Your odds definitely decrease with time and usage of the system.)
Essentially the way this works to recover lost files is as follows…. take you’re disk that you accidentally lost data on, unplug from your system (power down first please.) Then, boot up another system with linux (either as a livecd/standalone operating system.) Then, image the hard drive with the “lost” data to a file on the other system. Once this is done power down and disconnect the original disk (with “lost” data.) (Don’t power it back up yet.) install sleuthkit and autopsy when you power up your linux system.
Then (as root) run autopsy and connect to it’s page with your web browser (http://localhost:9999/autopsy) start a new case and browse to the image file for the disk image… then choose the partition where your data should be. Next go to analyze -> file analysis…. you ought to be able to search and enter the filename, then follow through to “download” or save the file to disk (and by all means test that you can open.)
According to the tutorial they were able to recover a whole folder of files from a disk that “had been formatted and reinstalled with a new version of Windows XP.” Sounds like a pretty good data recovery option given the high price of many other data recovery services.
Oh… and here’s another reminder that if you’re getting rid of a hard drive, just erasing things…. doesn’t quite get the job done.
Related PostsRelated Posts
- Open Source NTFS driver for linux with Read and Write support Linux has full support for so many file systems. Fat32, which is the filesystem of the Win98 and ME systems has had full read-write support as long as I can remember, but NTFS has not. In fact, NTFS has had read-only support in the main open source driver, but NO......
- Windows to Linux migration tool With impeccable timing.... Desktop Linux is reporting that Resolvo systems has released their "MoveOver Enterprise" desktop migration tool to assist migrating from Windows to Linux in the Enterprise. The software automates the process through a wizard-driven interface and helps to make the transition from Microsoft Windows to Linux an easy......
- GDrive rumors and screenshot - Platypus I saw this ZDNet post today with a tantalizing glimpse of Gdrive. It comes originally from cocaman.ch where he found a login page for something called Google Platypus, which is essentially a remotely used file storage. Now, from the page there are a couple of items that can be gleaned.......
- Real-estate Hosting - Don't Overpay! Recently, I d been using WordTracker.com to see which "real estate property website" phrases get searched quite often through Google, Yahoo and similar major search engines. It surprised me that the phrase "property web hosting" and also the longer "real-estate internet page hosting" were two of the most commonly searched......
- Rebit Inc. Try Rebit 5 Backup Software - Free for 30 DaysRebit Inc. is a software company committed to delivering fully-automatic and complete PC backup and recovery, removing the burden of managing backup from users. Rebit was named a 2009 and 2010 CRN Emerging Vendor by Computer Reseller News, and Rebit......
- Key New Features in SAINT 7.10 Key New Features in SAINT 7.10 SAINT Professional is now available on Mac OS X Lion (10.7). You can now fingerprint iPhones and iPads connected to your network. SAINT includes OS Fingerprinting during network discovery and/or vulnerability scanning. New OWASP Top 10 Web Application scanning policy including 12 new web......
- Drive images – filling free space with zeros
- How to Recover deleted items from Outlook .pst file
- Kdirstat to track space hogs
- Virtual Machine of a real hard drive
- Data Recovery | Hard Drive Failure Monitoring | Data Recovery and Rescue Tools