[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Forensic help?

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Forensic help?
From: Ragone_Andrew <kc2lto@xxxxxxxxx>
Date: Mon, 12 Sep 2005 10:56:28 -0400

> 
> I recently destroyed my file structure due to mistakenly writing a 
> partition table to the wrong hard disk drive on my machine while 
> installing an experimental version of OS X. The saving factor is that 
> the partition that may have formatted was only 20GB out of 200GB and 
> the rest was unallocated free space. I have installed a temporary 
> instance of WinXP to use data recovery software and recover the 
> majority of files from the drive (it is installed on the non-corrupted 
> drive). I ran a scan with R-Studio's awesome NTFS recovery tool and can 
> only find some of my recognized files here and there with system files 
> in between. The folders are present as something such as 
> $$$Folder1546$$ but there is absolutly no file system structure 
> present. (some is on different "found" under different cluster settings, 
> etc. using the IntelligiScan). Is there a way to reconstruct the file system 
> with another 
> utility using a data forensics linux livecd or other utility? I REALLY 
> need to get this data recovered and would like to learn how on my own 
> as first resort. 
>  I have used iRecover which restructed the file system almost perfectly 
> but it freezes during the recover (or seems to hang). Are there any other 
> choices out there? It seems none of the data was truely formatted ... 
>  -Andrew
>  
> 
> On 9/12/05, Red Leg <redleg18@xxxxxxxxx> wrote: 
> > 
> > On 9/11/05 8:21 PM, "Paul Schmehl" <pauls@xxxxxxxxxxxx > wrote:
> > 
> > 
> > > Download the knoppix std distro and burn it to a cd. Use dcfldd for 
> > drive
> > > imaging and the forensics tools for recovery of erased files and the 
> > like.
> > >
> > 
> > Paul.
> > 
> > Does dcfldd allow me to mirror the disk in such a manner as to include 
> > deleted files? I can not swap drives. I need to obtain an image with 
> > which I
> > can "undelete" files that were conventionally erased.
> > 
> > Will dcfldd provide such an image?
> > 
> > 
> > Thanks!
> > 
> > 
> > _______________________________________________ 
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> > 
> 
> 
> 
> -- 
> ___________________ 
> -Andrew Ragone
> BCA ATCS 2006
> [ Project Moonwell ]
> Kc2LTO
> http://kc2lto.com 
> 



-- 
___________________
-Andrew Ragone
BCA ATCS 2006
[ Project Moonwell ]
Kc2LTO
http://kc2lto.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Forensic help?
  - From: KF (lists)
- Re: [Full-disclosure] Forensic help?
  - From: fd

References:
- Re: [Full-disclosure] Forensic help?
  - From: Paul Schmehl
- Re: [Full-disclosure] Forensic help?
  - From: Red Leg

Prev by Date: [Full-disclosure] Automated mass abuse of form mailers
Next by Date: Re: [Full-disclosure] Forensic help?
Previous by thread: Re: [Full-disclosure] Forensic help?
Next by thread: Re: [Full-disclosure] Forensic help?
Index(es):
- Date
- Thread