Computer Tips -Tech Info

http://www.sleuthkit.org/ Sluethkit… is a collection of tools for forensic analysis of a system. Usually it’s something that would be done when you’ve had a suspected rootkit on the system and you boot to another operating system with sluethkit installed (maybe livecd/etc.) and want to try to analyze and hunt for traces of the rootkit. However you do have some similar procedures for forensic analysis that you would for the “I accidentally deleted a file” syndrome… For both situations you DON’T want to be running the live filesystem that’s affected.

This article…. http://www.ituprising.com/malawi/blog/jon/recovering_deleted_files_with_linux_and_sleuthkit describes using linux and sluethkit to recovered deleted files on windows or linux filesystems. First you should understand at a basic level how “deleting” a file works. If you think of the hard drive as a filing cabinet and each file is a “folder” with it’s label…. erasing a file through windows (putting it in the recycle bin) is the same as scribbling over the name of your manila folder with a note that says “you can throw this out”. It doesn’t actually delete the contents until you need the space for something else. It just sets aside the space as “no longer reserved”.

So, if you act quickly (power down the system and quit using it as soon as you realize you’ve deleted the file), you have a chance of recovering lost data files. (Truth be told, sometimes you can recover files deleted weeks in the past, it depends on how much “churn” there is on the disk. Your odds definitely decrease with time and usage of the system.)

Essentially the way this works to recover lost files is as follows…. take you’re disk that you accidentally lost data on, unplug from your system (power down first please.) Then, boot up another system with linux (either as a livecd/standalone operating system.) Then, image the hard drive with the “lost” data to a file on the other system. Once this is done power down and disconnect the original disk (with “lost” data.) (Don’t power it back up yet.) install sleuthkit and autopsy when you power up your linux system.

Then (as root) run autopsy and connect to it’s page with your web browser (http://localhost:9999/autopsy) start a new case and browse to the image file for the disk image… then choose the partition where your data should be. Next go to analyze -> file analysis…. you ought to be able to search and enter the filename, then follow through to “download” or save the file to disk (and by all means test that you can open.)

According to the tutorial they were able to recover a whole folder of files from a disk that “had been formatted and reinstalled with a new version of Windows XP.” Sounds like a pretty good data recovery option given the high price of many other data recovery services.

Oh… and here’s another reminder that if you’re getting rid of a hard drive, just erasing things…. doesn’t quite get the job done.

Popularity: 3% [?]

   Send article as PDF   

• Kdirstat to track space hogs I'm putting this under the Windows tech support category because I've used this on a boot cd before to do the same for Windows as I'm about to describe for Linux. I need to clean up and organize my hard drive(s). But when it comes to actually deleting things you......
• Open Source NTFS driver for linux with Read and Write support Linux has full support for so many file systems. Fat32, which is the filesystem of the Win98 and ME systems has had full read-write support as long as I can remember, but NTFS has not. In fact, NTFS has had read-only support in the main open source driver, but NO......
• How to Recover deleted items from Outlook .pst file About 6 months ago I had a customer call with a bit of a crisis. They had deleted some folders in Outlook without realizing the cleared out a few things they NEEDED to keep. Up until then I hadn't had much opportunity to try to find out what was recoverable,......

• How to Fix the Windows Blue Screen of Death Hopefully after reading this article I will have some light on this for you. I will give three steps you can do to help diagnose and repair the windows blue screen error. All these are tasks you can complete on their own before taking your computer to a repair shop.......
• REG file parser using the Boost Spirit Parser Framework I would like to thank the people who developed the following projects - they made the implementation of this project easier: I want to say a personal thank you to Silviu Simen for his article "INI file reader using the Spirit library". There was a project in which I took......
• Finding the Beginner Triathlon Right for You As more people discover the triathlon, there is more pressure to create easier competitions. One of the events which are becoming more common is the beginner triathlon. Quite often this is an event which is held at the same time as other more intense races. This creates unique opportunities which......

Similar Posts

• Drive images – filling free space with zeros
• How to Recover deleted items from Outlook .pst file
• Kdirstat to track space hogs
• Virtual Machine of a real hard drive
• Data Recovery | Hard Drive Failure Monitoring | Data Recovery and Rescue Tools

This entry was posted on Sunday, February 18th, 2007 at 8:16 pm and is filed under Computers, Hardware, Linux Software, Linux Tech Support, Windows Tech Support. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.