[Nottingham] Forensics problem
Luke Crowe
luke.crowe at ukonline.co.uk
Thu Sep 16 20:32:35 UTC 2010
Have you tried Foremost or Scalpel, which carves on headers and footers
Luke
-----Original Message-----
From: nottingham-bounces at mailman.lug.org.uk
[mailto:nottingham-bounces at mailman.lug.org.uk] On Behalf Of Paul Tew
Sent: 14 September 2010 14:56
To: Notts GNU/Linux Users Group
Subject: [Nottingham] Forensics problem
Hi,
Some of you folks are aware that I'm a forensic examiner with Notts
Police... well I suppose you all know now ;)
I have a bit of a problem with some evidence I'm examining and could do with
some suggestions...
I recently took possession of a Buffalo LinkStation which serves files to an
attached network via samba. The issue I have is that these files are stored
on an XFS partition. None of my usual forensic tools can parse XFS. To
recover the files I've had to mount the image file (for the uninitiated, an
image file is a copy of all the data from the hard drive or, as in this case
a RAID). I've mounted the XFS partition without any problem and recovered
the files, all well and good so far.
My problem is that I need to look at those parts of the drive that DON'T
form regular files so that I can search for deleted and unallocated files
and carve them out. Ideally I would like to extract all the data from
sectors that aren't allocated to files. I would normally use something like
'blkls' from the sleuthkit (TSK), but unfortunately TSK can't parse XFS
partitions.
My question is this:
Does anyone have any suggestions as to how to stream the areas of a
partition that don't consist of regular files?
Paul
_______________________________________________
Nottingham mailing list
Nottingham at mailman.lug.org.uk
https://mailman.lug.org.uk/mailman/listinfo/nottingham
More information about the Nottingham
mailing list