http://www.sleuthkit.org/ Sluethkit… is a collection of tools for forensic analysis of a system. Usually it’s something that would be done when you’ve had a suspected rootkit on the system and you boot to another operating system with sluethkit installed (maybe livecd/etc.) and want to try to analyze and hunt for traces of the rootkit. However you do have some similar procedures for forensic analysis that you would for the “I accidentally deleted a file” syndrome… For both situations you DON’T want to be running the live filesystem that’s affected.
This article…. http://www.ituprising.com/malawi/blog/jon/recovering_deleted_files_with_linux_and_sleuthkit describes using linux and sluethkit to recovered deleted files on windows or linux filesystems. First you should understand at a basic level how “deleting” a file works. If you think of the hard drive as a filing cabinet and each file is a “folder” with it’s label…. erasing a file through windows (putting it in the recycle bin) is the same as scribbling over the name of your manila folder with a note that says “you can throw this out”. It doesn’t actually delete the contents until you need the space for something else. It just sets aside the space as “no longer reserved”.
So, if you act quickly (power down the system and quit using it as soon as you realize you’ve deleted the file), you have a chance of recovering lost data files. (Truth be told, sometimes you can recover files deleted weeks in the past, it depends on how much “churn” there is on the disk. Your odds definitely decrease with time and usage of the system.)
Essentially the way this works to recover lost files is as follows…. take you’re disk that you accidentally lost data on, unplug from your system (power down first please.) Then, boot up another system with linux (either as a livecd/standalone operating system.) Then, image the hard drive with the “lost” data to a file on the other system. Once this is done power down and disconnect the original disk (with “lost” data.) (Don’t power it back up yet.) install sleuthkit and autopsy when you power up your linux system.
Then (as root) run autopsy and connect to it’s page with your web browser (http://localhost:9999/autopsy) start a new case and browse to the image file for the disk image… then choose the partition where your data should be. Next go to analyze -> file analysis…. you ought to be able to search and enter the filename, then follow through to “download” or save the file to disk (and by all means test that you can open.)
According to the tutorial they were able to recover a whole folder of files from a disk that “had been formatted and reinstalled with a new version of Windows XP.” Sounds like a pretty good data recovery option given the high price of many other data recovery services.
Oh… and here’s another reminder that if you’re getting rid of a hard drive, just erasing things…. doesn’t quite get the job done.
Related PostsRelated Posts
- GDrive rumors and screenshot - Platypus I saw this ZDNet post today with a tantalizing glimpse of Gdrive. It comes originally from cocaman.ch where he found a login page for something called Google Platypus, which is essentially a remotely used file storage. Now, from the page there are a couple of items that can be gleaned.......
- Open Source NTFS driver for linux with Read and Write support Linux has full support for so many file systems. Fat32, which is the filesystem of the Win98 and ME systems has had full read-write support as long as I can remember, but NTFS has not. In fact, NTFS has had read-only support in the main open source driver, but NO......
- Remote tech support with anything - would I do it? I've tried to ask myself if I'd trust someone enough to let them run a remote session on my own desktop to solve a problem. I think the answer is "it depends". If you think about it, I do tech support for home users quite a bit and they let......
- Getting Into the Corporate Blogging Habit As with any task, developing effective habits can mean the difference between success and failure. Many first time corporate bloggers don’t take the time to develop good blogging habits and as a result, they don’t do as well as they should. Here are some tips to help you get into......
- How to Fix the Windows Blue Screen of Death Hopefully after reading this article I will have some light on this for you. I will give three steps you can do to help diagnose and repair the windows blue screen error. All these are tasks you can complete on their own before taking your computer to a repair shop.......
- The Nickname Cache in Outlook - Get to Know your .NK2 file Have you ever wondered where Outlook stores data it uses to auto-complete email addresses when you are typing in the To or Cc field? Microsoft stores this data in a file with the extension .NK2. The file is stored in each user's profile in drive:\Documents and Settings\user name\Application Data\Microsoft\Outlook. Note......
- Drive images – filling free space with zeros
- How to Recover deleted items from Outlook .pst file
- Kdirstat to track space hogs
- Virtual Machine of a real hard drive
- Data Recovery | Hard Drive Failure Monitoring | Data Recovery and Rescue Tools