On Mon, Feb 4, 2013 at 1:00 PM, Rich Braun <ri...@pioneer.ci.net> wrote: > Scott Ehrlich <srehrl...@gmail.com> suggested: >> Try FTK Imager Lite. >> Also look into TSK (The Sleuth Kit) / Autopsy (web frontend for TSK). > > Thanks! I'll try those; the former seems to be a Windows-based tool but the > TSK looks like it might work. One issue that I'm running into is that > virtually none of the obvious tools have been updated to handle ext4. Just > now I found a research paper that concisely gives enough detailed info to > /write/ a recovery tool (but doesn't talk about /existing/ tools): > > http://www.dfrws.org/2012/proceedings/DFRWS2012-13.pdf > > What I think is happening with extundelete is that it's making assumptions > about the journal which might have been valid for ext3, but which are totally > incorrect for the ext4 journal. > >> Was this a RAID or a single disk? > > It's a 1TB logical volume on a 4TB lvm2 volume group on top of RAID. So I am > able to sequester it and perform forensics on the unmounted volume. I > discovered my mistake after coming home from a Super Bowl party so I know that > the only thing which happened to it before I took it offline was my rsync cron > job. > > -rich > > > _______________________________________________ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss
Also check out http://www.forensicswiki.org/wiki/Linux Scott _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss