Forensics
Reiserfs Version 3 Forensics Dec 29 2005 06:30PM
Steve Bonds (njhy5rd02 sneakemail com) (3 replies)
Re: Reiserfs Version 3 Forensics Jan 03 2006 05:56PM
Steve Bonds (njhy5rd02 sneakemail com) (1 replies)
Re: Reiserfs Version 3 Forensics Jan 04 2006 10:51PM
Ryan B. Lynch (rlynch bway net)
I almost forgot. Check out this link, too, while you at it: it has a
bunch of caveats and warnings, with a lot of user experiences with the
rebuild process:

http://www.antrix.net/journal/techtalk/reiserfs_data_recovery_howto.comm
ents

-Ryan

Steve Bonds wrote:

>On 12/29/05, I wrote:
>
>
>>Does anyone know of a linux-based tool that works with Reiserfs
>>Version 3? Normally I would use The Sleuth Kit/Autopsy, however it
>>doesn't appear that they support Reiserfs V3.
>>
>>
>
>... trimmed ...
>
>
>
>>Anyone have a suggestion?
>>
>>
>
>Here's some more information based on some of the non-automated E-mail
>I received asking for more info/clarification.
>
>I have a damaged hard drive containing a reiserfs filesystem. I've
>managed to create the best image I can of the drive using dd_rescue
>and Helix. The image has some "holes" filled in with zeroes where the
>drive was unreadable.
>
>Right now I'm just trying for a simple data recovery to see what
>"obvious" things are on the drive. This will help determine if more
>analysis is needed. I have no reason (yet) to suspect that a
>deliberate attempt to hide any files has taken place.
>
>Since I can't find a tool to read the reiserfs portion of the image I
>plan to "dd" out the reiserfs partition based on disk-block offsets to
>another image and use reiserfsck in an attempt to make it loop-device
>mount-able under linux. There is a good chance this will result in
>lost data/missing files but I'm being careful to preserve the original
>image in case more analysis is needed.
>
>Later on I may need to examine deleted files, slack space, and other
>areas of the image that may not be displayed via a normal "mount".
>For this, something like The Sleuth Kit would almost assuredly be
>needed. I thought I might as well start looking now rather than when
>things become more time-sensitive. (However at that time my budget
>may go up, too! ;-)
>
>I've had at least one recommendation for X-Ways, however it seems like
>there should be some Linux-based software to help with this.
>
>Anyone know of any? It's beginning to look like it's either X-Ways or
>Encase, neither of which are currently in budget.
>
>Thanks,
>
> -- Steve
>
>
>

[ reply ]
Re: Reiserfs Version 3 Forensics Jan 03 2006 06:18AM
subscribe (subscribe crazytrain com)
Re: Reiserfs Version 3 Forensics Dec 31 2005 07:31AM
Chris Umphress (umphress gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus