[Nottingham] Forensics problem
James of the Family Moore
jmthelostpacket at googlemail.com
Tue Sep 14 15:50:14 UTC 2010
deep sector forensic recovery tools like stellar phoenix looks like
the job here - these bypass the partition table and read each sector to
a file on another drive as plain text. You'll end up with a
fulltext-searchable set consisting several hundred thousand files and
several GB (approximately 7 times as much space required as the original
drive, and about a week per 100GB to pull the data). Just make sure your
power is stable and the drive is kept at a constant low temperature,
this is intensive, tedious stuff.
On 14/09/2010 14:55, Paul Tew wrote:
> Hi,
> Some of you folks are aware that I'm a forensic examiner with Notts
> Police... well I suppose you all know now ;)
>
> I have a bit of a problem with some evidence I'm examining and could
> do with some suggestions...
>
> I recently took possession of a Buffalo LinkStation which serves files
> to an attached network via samba. The issue I have is that these files
> are stored on an XFS partition. None of my usual forensic tools can
> parse XFS. To recover the files I've had to mount the image file (for
> the uninitiated, an image file is a copy of all the data from the hard
> drive or, as in this case a RAID). I've mounted the XFS partition
> without any problem and recovered the files, all well and good so far.
>
> My problem is that I need to look at those parts of the drive that
> DON'T form regular files so that I can search for deleted and
> unallocated files and carve them out. Ideally I would like to extract
> all the data from sectors that aren't allocated to files. I would
> normally use something like 'blkls' from the sleuthkit (TSK), but
> unfortunately TSK can't parse XFS partitions.
>
> My question is this:
> Does anyone have any suggestions as to how to stream the areas of a
> partition that don't consist of regular files?
>
> Paul
>
> _______________________________________________
> Nottingham mailing list
> Nottingham at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/nottingham
>
More information about the Nottingham
mailing list