Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
Re: [Full-disclosure] Forensic help?
From: Ragone_Andrew (kc2ltogmail.com)
Date: Mon Sep 12 2005 - 09:56:28 CDT
> I recently destroyed my file structure due to mistakenly writing a
> partition table to the wrong hard disk drive on my machine while
> installing an experimental version of OS X. The saving factor is that
> the partition that may have formatted was only 20GB out of 200GB and
> the rest was unallocated free space. I have installed a temporary
> instance of WinXP to use data recovery software and recover the
> majority of files from the drive (it is installed on the non-corrupted
> drive). I ran a scan with R-Studio's awesome NTFS recovery tool and can
> only find some of my recognized files here and there with system files
> in between. The folders are present as something such as
> $$$Folder1546$$ but there is absolutly no file system structure
> present. (some is on different "found" under different cluster settings,
> etc. using the IntelligiScan). Is there a way to reconstruct the file system
> with another
> utility using a data forensics linux livecd or other utility? I REALLY
> need to get this data recovered and would like to learn how on my own
> as first resort.
> I have used iRecover which restructed the file system almost perfectly
> but it freezes during the recover (or seems to hang). Are there any other
> choices out there? It seems none of the data was truely formatted ...
> On 9/12/05, Red Leg <redleg18gmail.com> wrote:
> > On 9/11/05 8:21 PM, "Paul Schmehl" <paulsutdallas.edu > wrote:
> > > Download the knoppix std distro and burn it to a cd. Use dcfldd for
> > drive
> > > imaging and the forensics tools for recovery of erased files and the
> > like.
> > >
> > Paul.
> > Does dcfldd allow me to mirror the disk in such a manner as to include
> > deleted files? I can not swap drives. I need to obtain an image with
> > which I
> > can "undelete" files that were conventionally erased.
> > Will dcfldd provide such an image?
> > Thanks!
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
> -Andrew Ragone
> BCA ATCS 2006
> [ Project Moonwell ]
BCA ATCS 2006
[ Project Moonwell ]
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/