[Nottingham] Forensics problem
mbooth at fedoraproject.org
Tue Sep 14 15:14:08 UTC 2010
On 14 September 2010 14:55, Paul Tew <binarybod at gmail.com> wrote:
> Some of you folks are aware that I'm a forensic examiner with Notts
> Police... well I suppose you all know now ;)
> I have a bit of a problem with some evidence I'm examining and could
> do with some suggestions...
> I recently took possession of a Buffalo LinkStation which serves files
> to an attached network via samba. The issue I have is that these files
> are stored on an XFS partition. None of my usual forensic tools can
> parse XFS. To recover the files I've had to mount the image file (for
> the uninitiated, an image file is a copy of all the data from the hard
> drive or, as in this case a RAID). I've mounted the XFS partition
> without any problem and recovered the files, all well and good so far.
> My problem is that I need to look at those parts of the drive that
> DON'T form regular files so that I can search for deleted and
> unallocated files and carve them out. Ideally I would like to extract
> all the data from sectors that aren't allocated to files. I would
> normally use something like 'blkls' from the sleuthkit (TSK), but
> unfortunately TSK can't parse XFS partitions.
> My question is this:
> Does anyone have any suggestions as to how to stream the areas of a
> partition that don't consist of regular files?
I don't know if it will be of any use, but there is a debugging tool for XFS
It is in the xfsprogs package on my system. The man page is fairly
dense, but seems like it might be useful for inspecting individual
filesystem blocks. Maybe scriptable too.
More information about the Nottingham