Re: Forensic tool to recommend?



Hi Fabio and List,

I don't quite know what you really wanna do. But if I got the point, you
(or s.o. else?) have deleted some files on windows and linux filesystems.
If we do a small exercise on how filesystems work, you might get the
solution on your own.

filesystems (in general) arrange their files at the harddrive by having
linked lists (in linux FS called Inodes).
Each Filesystem has a table at the start of the partition, where
references (links) link to the file location.
Following this the file-data and file-attributes are separated from each
other.
If a file is being deleted your filesystem (under linux) simply deletes
the Inode referencing to the file-data.
So the data is still at its place. But as you should remembre, a harddrive
is not being synced "in-time", there is a buffer at your RAM.
When the Inode is deleted it is being deleted at the copy of your inode
table at your ram or harddrive ram.

Lets stick to windows. The windows filesystems don't know inodes but
something similar.
Windows either has file-allocation-table or the pendant NTFS.
Both filesystems do have linked lists which referre to the file-data.
When you delete s.t. under windows the file-attribute (inode) is not being
Deleted but therefore "marked" as deleted.
Windows has a special file-attribute for deleted files. So you simply need
to download a file-recovery tool and you may be able to recover very old
data.

So far, .. have fun!

Cheers,
Floschi



Hi All,

I am evaluating some tools for gathering evidence in Linux and Windows
distros.

In particular I am interested in recovering files/folders which have
been deleted "accidentally" from the PC.

I am aware there are some Live CD's with Linux installed that could
mount a drive and try to recover those files but don't know anyone in
particular.

Any help will be really appreciated.

Thank you very much.

Greetings,

Fabio




Relevant Pages

  • Re: Brand new to Linux - good software sites?
    ... disk caching and memory balancing, and reasonably nippy filesystems, ... Unless your Linux box is standing in front of some Windows ... There are lots of CD and DVD burning GUIs. ...
    (uk.comp.os.linux)
  • Re: Forensic tool to recommend?
    ... have deleted some files on windows and linux filesystems. ... If we do a small exercise on how filesystems work, ... When the Inode is deleted it is being deleted at the copy of your inode ... Lets stick to windows. ...
    (Security-Basics)
  • Re: Opinions on new PDA please
    ... its data in FAT or NTFS filesystems, ... Linux' EXT2 and EXT3 ... just agree that defrag is unnecessary for Linux filesystems. ... Windows doesn't, really. ...
    (uk.comp.sys.palmtops)
  • Re: [RFC] vfat: change the default from shortname=lower to shortname=mixed
    ... Why is shortname=lower the default mount option for vfat filesystems? ... Because, with "shortname=lower", copying one FAT filesystem tree to ... Not only does it solve problems with Linux seeing files it created ... It is better than Windows itself in that respect... ...
    (Linux-Kernel)
  • Re: A little musing on Linux ( was Re: Zip files to multiple floppies)
    ... > various distributions Of linux have made me think a little harsh about ... > and troubles far more than Windows. ... The amount of extra work to program a gui ... Mounting filesystems for example - windows computers only ...
    (Fedora)