[PLUG] File recovery

Hal Pomeranz hal at deer-run.com
Wed Feb 25 18:50:48 UTC 2009


> Thanks. I have foremost installed. My problem is that I'm not
> certain of all the file types in the directory. If I recall
> correctly they were mostly perl scripts. I had read somewhere that I
> could just tell foremost to grab ASCII files which would include
> said perl scripts.

Meh.  Foremost is not generally good at ASCII text files.  You might
try "-t cpp" which grabs C source code.  I suspect Perl is close enough
that you'll get some hits.

Otherwise you may be stuck with using tools like dls from the Sleuthkit
(sleuthkit.org) to suck the free blocks out of the image and then grep
around for strings of interest (like "#!/usr/bin/perl").  Then you can
use dcat/blkcat to retrieve chunks of your files.  I warn you that this
is going to be tedious, however.

> I have rebooted the machine with said filesystem unmounted now. I
> also have the disk image I created which is just under 100GB since I
> dd'd the partition. Would it be advisable to use foremost on the
> disk image or the actual filesystem while unmounted in order to
> collect the data?

Doesn't hurt to try both.  The disk image might be corrupt because you
took it from a running file system.  OTOH, the file system might have
re-used some of the data blocks between the time you took the image
and the time you got the file system unmounted.

By the way, I also have to be a PITA and point out that you wouldn't
be going through any of this pain if you had backups on hand.  Consider
spending $125 on an external 1TB drive and a little of your time 
implementing an automated backup strategy.

-- 
Hal Pomeranz, Founder/CEO      Deer Run Associates      hal at deer-run.com
    Network Connectivity and Security, Systems Management, Training



More information about the PLUG mailing list