-
January 20th, 2008, 02:42 PM
#1
Needle in a haystack
I'm looking for the proverbial needle in a heystack..
Due to my own fault I've lost an encryption key
I thought I had backed up everything when I reinstalled my server. Unfortunately later on I realized I forgot 1 64 byte file.. DOH!
The old layout of the disk had 3 slices on it (fbsd), now there's only 2. I need to find that key that used to reside in a partition inside one of the 'old' slices.
I've looked at sleuthkit/autopsy but that seems to concentrate on analyzing the current filesystem, hence I can't find it.
Tried a few windows(!) programs too but none seem to be able to find it..
I know the file's name and I know it's size, how do I go about scanning the disk looking for that info?
Preferably I'd like something that scans the whole disk looking for past info on files that are 64 bytes in size.
The filesystem is UFS2 (Freebsd). Any hints/tips are welcome.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
January 20th, 2008, 03:10 PM
#2
Oh.. Forgot to add... Some in depth knowledge into the inner workings of UFS/UFS2 would also be appreciated
Oliver's Law:
Experience is something you don't get until just after you need it.
-
January 20th, 2008, 05:11 PM
#3
Hello SirDice,
I know that I am out of my depth here, but please look at the "unstoppable copier"............. by roadkil. There is a *nix version
Basically it will scan the disk and attempt to reassemble whatever it can find.......... it takes a hell of a long time, but it is my "weapon of last resort"
http://www.roadkil.net/
Please check out the "downloads" section.
Cheers
-
January 20th, 2008, 07:44 PM
#4
There's nothing wrong with the disk itself i.e. no read-errors or whatever.
I repartitioned, formatted and put a new install on it before I realized I forgot to backup this file.
It's highly likely it got overwritten in the process but I'm not going to give up that easy
Besides sleuthkit/autopsy I also been playing with R-Studio, RaiseDR for UFS, Stellar Phoenix (BSD) and UFS Explorer.
All very impressive programs, I did find other things that used to be on the 'old' filesystem. Quite shocking on one hand but hopeful on the other
Last edited by SirDice; January 20th, 2008 at 07:50 PM.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
January 20th, 2008, 07:49 PM
#5
Whilst the unstoppable copier will handle damaged media, it just attempts to recover everything, so long as it hasn't been overwritten.
It would be worth a try in my opinion
-
January 20th, 2008, 07:52 PM
#6
I'll give it a shot.. I don't care if it takes a week to scan..
Oliver's Law:
Experience is something you don't get until just after you need it.
-
January 20th, 2008, 07:52 PM
#7
You might find something here:
http://www.resource.**********.com/viewforum.php?f=33
**********/TAZForum KnowledgeBase • View forum - Computer Forensics Resources
Last edited by Egaladeist; February 10th, 2008 at 09:47 PM.
-
January 20th, 2008, 08:03 PM
#8
Trying to find 64 bytes of random data on an 80GB disk really is like searching for a needle in a haystack
Oliver's Law:
Experience is something you don't get until just after you need it.
-
January 20th, 2008, 08:11 PM
#9
Did the file have a name?
The unstoppable copier will attempt to reassemble all files........... so let it run then look for those that are 64 bytes long.
When I have used it in the past it has managed to recover partial text files, which is a lot better than nothing? Obviously, in your case you need the file intact, so if you cannot find a 64 byte file then I suppose you must have overwritten it?
-
January 20th, 2008, 08:27 PM
#10
If the file has been overwritten not just deleted then according to this you can't recover it
http://www.nber.org/sys-admin/overwr...a-guttman.html
Can Intelligence Agencies Read Overwritten Data?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|