Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Needle in a haystack

  1. #1
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401

    Needle in a haystack

    I'm looking for the proverbial needle in a heystack..
    Due to my own fault I've lost an encryption key

    I thought I had backed up everything when I reinstalled my server. Unfortunately later on I realized I forgot 1 64 byte file.. DOH!

    The old layout of the disk had 3 slices on it (fbsd), now there's only 2. I need to find that key that used to reside in a partition inside one of the 'old' slices.

    I've looked at sleuthkit/autopsy but that seems to concentrate on analyzing the current filesystem, hence I can't find it.
    Tried a few windows(!) programs too but none seem to be able to find it..

    I know the file's name and I know it's size, how do I go about scanning the disk looking for that info?

    Preferably I'd like something that scans the whole disk looking for past info on files that are 64 bytes in size.

    The filesystem is UFS2 (Freebsd). Any hints/tips are welcome.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Oh.. Forgot to add... Some in depth knowledge into the inner workings of UFS/UFS2 would also be appreciated
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hello SirDice,

    I know that I am out of my depth here, but please look at the "unstoppable copier"............. by roadkil. There is a *nix version

    Basically it will scan the disk and attempt to reassemble whatever it can find.......... it takes a hell of a long time, but it is my "weapon of last resort"

    http://www.roadkil.net/

    Please check out the "downloads" section.

    Cheers

  4. #4
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    There's nothing wrong with the disk itself i.e. no read-errors or whatever.

    I repartitioned, formatted and put a new install on it before I realized I forgot to backup this file.
    It's highly likely it got overwritten in the process but I'm not going to give up that easy

    Besides sleuthkit/autopsy I also been playing with R-Studio, RaiseDR for UFS, Stellar Phoenix (BSD) and UFS Explorer.
    All very impressive programs, I did find other things that used to be on the 'old' filesystem. Quite shocking on one hand but hopeful on the other
    Last edited by SirDice; January 20th, 2008 at 07:50 PM.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  5. #5
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Whilst the unstoppable copier will handle damaged media, it just attempts to recover everything, so long as it hasn't been overwritten.

    It would be worth a try in my opinion

  6. #6
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    I'll give it a shot.. I don't care if it takes a week to scan..
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  7. #7
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    You might find something here:

    http://www.resource.**********.com/viewforum.php?f=33
    **********/TAZForum KnowledgeBase • View forum - Computer Forensics Resources
    Last edited by Egaladeist; February 10th, 2008 at 09:47 PM.

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Trying to find 64 bytes of random data on an 80GB disk really is like searching for a needle in a haystack
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Did the file have a name?

    The unstoppable copier will attempt to reassemble all files........... so let it run then look for those that are 64 bytes long.

    When I have used it in the past it has managed to recover partial text files, which is a lot better than nothing? Obviously, in your case you need the file intact, so if you cannot find a 64 byte file then I suppose you must have overwritten it?

  10. #10
    Senior Member
    Join Date
    Dec 2004
    Posts
    3,171
    If the file has been overwritten not just deleted then according to this you can't recover it

    http://www.nber.org/sys-admin/overwr...a-guttman.html
    Can Intelligence Agencies Read Overwritten Data?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •