I would dd it first, and *then* try massaging data, because then you can work on (a copy of) the backup which is safer in case of fsck ups.
If you're doing forensics, I would like to redirect you to porcupine.org for TCT, or Google Sourceforge for "Biatchux" the bootable cd with TCT/TCT-utils *and Perl* already prepped on it. TCT requires practice tho.
Another thing, if you're running into suspect files, Google the 'net for "the Honeypot project". Their Scan Of the Month dir contains a lot of info like approach/analysis which can be beneficial speeding up/recognizing stuff.
HTH somehow
|