Needle in a haystack

[SirDice]

I'm looking for the proverbial needle in a heystack..
Due to my own fault I've lost an encryption key

I thought I had backed up everything when I reinstalled my server. Unfortunately later on I realized I forgot 1 64 byte file.. DOH!

The old layout of the disk had 3 slices on it (fbsd), now there's only 2. I need to find that key that used to reside in a partition inside one of the 'old' slices.

I've looked at sleuthkit/autopsy but that seems to concentrate on analyzing the current filesystem, hence I can't find it.
Tried a few windows(!) programs too but none seem to be able to find it..

I know the file's name and I know it's size, how do I go about scanning the disk looking for that info?

Preferably I'd like something that scans the whole disk looking for past info on files that are 64 bytes in size.

The filesystem is UFS2 (Freebsd). Any hints/tips are welcome.

[SirDice]

Oh.. Forgot to add... Some in depth knowledge into the inner workings of UFS/UFS2 would also be appreciated

[nihil]

Hello SirDice,

I know that I am out of my depth here, but please look at the "unstoppable copier"............. by roadkil. There is a *nix version

Basically it will scan the disk and attempt to reassemble whatever it can find.......... it takes a hell of a long time, but it is my "weapon of last resort"

http://www.roadkil.net/

Please check out the "downloads" section.

Cheers

[SirDice]

There's nothing wrong with the disk itself i.e. no read-errors or whatever.

I repartitioned, formatted and put a new install on it before I realized I forgot to backup this file.
It's highly likely it got overwritten in the process but I'm not going to give up that easy

Besides sleuthkit/autopsy I also been playing with R-Studio, RaiseDR for UFS, Stellar Phoenix (BSD) and UFS Explorer.
All very impressive programs, I did find other things that used to be on the 'old' filesystem. Quite shocking on one hand but hopeful on the other

[nihil]

Whilst the unstoppable copier will handle damaged media, it just attempts to recover everything, so long as it hasn't been overwritten.

It would be worth a try in my opinion

[SirDice]

I'll give it a shot.. I don't care if it takes a week to scan..

[Egaladeist]

You might find something here:

http://www.resource.**********.com/viewforum.php?f=33
**********/TAZForum KnowledgeBase • View forum - Computer Forensics Resources

[SirDice]

Trying to find 64 bytes of random data on an 80GB disk really is like searching for a needle in a haystack

[nihil]

Did the file have a name?

The unstoppable copier will attempt to reassemble all files........... so let it run then look for those that are 64 bytes long.

When I have used it in the past it has managed to recover partial text files, which is a lot better than nothing? Obviously, in your case you need the file intact, so if you cannot find a 64 byte file then I suppose you must have overwritten it?

[Egaladeist]

If the file has been overwritten not just deleted then according to this you can't recover it

http://www.nber.org/sys-admin/overwr...a-guttman.html
Can Intelligence Agencies Read Overwritten Data?