Full Disclosure mailing list archives

Re: Forensic help?

From: Ragone_Andrew <kc2lto () gmail com>
Date: Mon, 12 Sep 2005 10:56:28 -0400


I recently destroyed my file structure due to mistakenly writing a 
partition table to the wrong hard disk drive on my machine while 
installing an experimental version of OS X. The saving factor is that 
the partition that may have formatted was only 20GB out of 200GB and 
the rest was unallocated free space. I have installed a temporary 
instance of WinXP to use data recovery software and recover the 
majority of files from the drive (it is installed on the non-corrupted 
drive). I ran a scan with R-Studio's awesome NTFS recovery tool and can 
only find some of my recognized files here and there with system files 
in between. The folders are present as something such as 
$$$Folder1546$$ but there is absolutly no file system structure 
present. (some is on different "found" under different cluster settings, 
etc. using the IntelligiScan). Is there a way to reconstruct the file system 
with another 
utility using a data forensics linux livecd or other utility? I REALLY 
need to get this data recovered and would like to learn how on my own 
as first resort. 
 I have used iRecover which restructed the file system almost perfectly 
but it freezes during the recover (or seems to hang). Are there any other 
choices out there? It seems none of the data was truely formatted ... 
 -Andrew
 

On 9/12/05, Red Leg <redleg18 () gmail com> wrote:


On 9/11/05 8:21 PM, "Paul Schmehl" <pauls () utdallas edu > wrote:

Download the knoppix std distro and burn it to a cd. Use dcfldd for

drive

imaging and the forensics tools for recovery of erased files and the

like.


Paul.

Does dcfldd allow me to mirror the disk in such a manner as to include 
deleted files? I can not swap drives. I need to obtain an image with 
which I
can "undelete" files that were conventionally erased.

Will dcfldd provide such an image?


Thanks!


_______________________________________________ 
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/




-- 
___________________ 
-Andrew Ragone
BCA ATCS 2006
[ Project Moonwell ]
Kc2LTO
http://kc2lto.com




-- 
___________________
-Andrew Ragone
BCA ATCS 2006
[ Project Moonwell ]
Kc2LTO
http://kc2lto.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Forensic help? Red Leg (Sep 11)
- Re: Forensic help? KF (lists) (Sep 11)
  - RE: Forensic help? dave kleiman (Sep 11)
- Re: Forensic help? Jason Coombs (Sep 11)
- Re: Forensic help? Paul Schmehl (Sep 11)
  - Re: Forensic help? Red Leg (Sep 11)
  - Re: Forensic help? Red Leg (Sep 12)
    - Message not available
    - Re: Forensic help? Ragone_Andrew (Sep 12)
    - Re: Forensic help? KF (lists) (Sep 12)
    - Re: Forensic help? fd (Sep 12)
    - Re: Forensic help? Paul Schmehl (Sep 12)
    - Re: Forensic help? als (Sep 12)
- Re: Forensic help? Red Leg (Sep 11)
- Re: Forensic help? Christophe Garault (Sep 12)
- <Possible follow-ups>
- RE: Forensic help? James Wicks (Sep 11)
  - Re: Forensic help? Andrew Farmer (Sep 11)
- RE: Forensic help? Sims Brian (Sep 12)
  - Re: Forensic help? James Wicks (Sep 12)

(Thread continues...)