[PLUG] Creating a filename for an open, but deleted, file

Damon Getsman damo.gets at gmail.com
Sat Nov 15 00:57:07 UTC 2014


I think the original start of this thread was by Robert C., but I'm not
sure.  I fell out of checking email for a few days, so I'm sorry if that's
not exactly accurate or if I missed a solution to this problem that popped
up since it first came around a few days ago...

Anyway, I think the best possibility for a solution to the problem that
you're looking at right now would come from 'sleuthkit'.  I'm not sure if
it's available as a package for the linux distro that you're using; I had
to compile it custom for OpenBSD, but that's hardly anything rare for that
OS.

The home site for the project is here: http://www.sleuthkit.org/; it
handles all kinds of filesystem image and raw fs forensics.  Doesn't have
the best documentation, but I have a feeling if you're using the GUI tools
(which I was unable to because of my headless and Xless OpenBSD machine) it
should be a lot easier to use than it was for me with simply the raw
command line utilities.

Hope that helps if you haven't found anything else already.

-Damon



More information about the PLUG mailing list