[Nottingham] Forensics problem
Paul Tew
binarybod at gmail.com
Tue Sep 14 13:56:59 UTC 2010
Hi,
Some of you folks are aware that I'm a forensic examiner with Notts
Police... well I suppose you all know now ;)
I have a bit of a problem with some evidence I'm examining and could
do with some suggestions...
I recently took possession of a Buffalo LinkStation which serves files
to an attached network via samba. The issue I have is that these files
are stored on an XFS partition. None of my usual forensic tools can
parse XFS. To recover the files I've had to mount the image file (for
the uninitiated, an image file is a copy of all the data from the hard
drive or, as in this case a RAID). I've mounted the XFS partition
without any problem and recovered the files, all well and good so far.
My problem is that I need to look at those parts of the drive that
DON'T form regular files so that I can search for deleted and
unallocated files and carve them out. Ideally I would like to extract
all the data from sectors that aren't allocated to files. I would
normally use something like 'blkls' from the sleuthkit (TSK), but
unfortunately TSK can't parse XFS partitions.
My question is this:
Does anyone have any suggestions as to how to stream the areas of a
partition that don't consist of regular files?
Paul
More information about the Nottingham
mailing list