On Mon, Feb 4, 2013 at 1:00 PM, Rich Braun <ri...@pioneer.ci.net> wrote: > Scott Ehrlich <srehrl...@gmail.com> suggested: >> Try FTK Imager Lite. >> Also look into TSK (The Sleuth Kit) / Autopsy (web frontend for TSK). > > Thanks! I'll try those; the former seems to be a Windows-based tool but the > TSK looks like it might work. One issue that I'm running into is that > virtually none of the obvious tools have been updated to handle ext4. Just > now I found a research paper that concisely gives enough detailed info to > /write/ a recovery tool (but doesn't talk about /existing/ tools): > > http://www.dfrws.org/2012/proceedings/DFRWS2012-13.pdf > > What I think is happening with extundelete is that it's making assumptions > about the journal which might have been valid for ext3, but which are totally > incorrect for the ext4 journal. > >> Was this a RAID or a single disk? > > It's a 1TB logical volume on a 4TB lvm2 volume group on top of RAID. So I am > able to sequester it and perform forensics on the unmounted volume. I > discovered my mistake after coming home from a Super Bowl party so I know that > the only thing which happened to it before I took it offline was my rsync cron > job. > > -rich > > > _______________________________________________ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss
Some other leads: http://www.forensicfocus.com/Forums/viewtopic/t=2803/ http://tech.groups.yahoo.com/group/linux_forensics/message/3648 (note, for bulk extractor, the year is obviously wrong). As an aside, Linux_Forensics is an excellent list, minus the mess-ups yahoo has done to their list server. Also, Simson Garfinkel and Brian Carrier are two of the most foremost experts on digital forensics you'll find anywhere. Scott Scott _______________________________________________ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
