Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
What I'm looking for is an educated opinion on what options there are for windows file recovery from a Linux boot medium. I have a friend of a friend who has a laptop that had files deleted from it by a supposed "Windows Guru" (divorce is an ugly thing). An initial attempt by another Guru failed to recover but a few files. I am on a short list to have my go at it and was wondering if anyone had any particular success with one tool or another. I plan to try and do my recovery attempts with one of the various rescue CDs or with Helix. I'd appreciate anyone's opinion on a tool they've had success with.
If you posted more details you would get a better evaluation of the actual case. If the files are on a harddisk the information should be there providing that nothing has been written to the drive. Hope exists as long as the drive isn't used and the data overwritten.
This seems like a powerful, standing argument for backup.
If the files are on a harddisk the information should be there providing that nothing has been written to the drive. Hope exists as long as the drive isn't used and the data overwritten.
You're absolutely right. One can easily name tools (photorec and foremost being the most often recommended OSS header/footer carvers) but events (read/writes, files deleted how?) leading up to the current (one person inspected the drive how?) situation may change expectancy because no tool can compensate for people forgetting SOP (that starts with acquiring and working on a 'dd'-like copy of the disk, not the disk itself).
Originally Posted by H_TeXMeX_H
Testdisk and foremost are the best programs to use.
Just curious: best as in or compared to what?
Last edited by unSpawn; 12-10-2008 at 12:33 PM.
Reason: corrected spelling
I wish I had more info myself. There seems to be a lawyer involved and the lawyer has the laptop. I've asked the guy who is trying to get the data back if there are any requirements for chain of custody or rules of evidence that have to be applied and he isn't sure. All I received for info is that someone deleted data, someone tried to recover it and decided whomever deleted it knew what they were doing, and there is some box within a box in the center of the screen when it boots up. I'm treating it like a normal recovery for the average windows sufferer. I don't know if the files are for leverage in a divorce or a simple desire to get things back. I'm thinking the latter. I'm not sure if the partitions have been messed with or if they've been formatted. I suspect that I'll be able to recreate the partitions and then may have the task of trying to recapture some dead files. I'll check out the programs you suggested and am still open for more suggestions.
Well, perhaps I should have said good, but it can also be taken to mean as best-known.
It's a good point tho that you should try not to let that partition get changed in the process of recovering the data. So, make sure to save files it recovers to either another partition or another HDD. You can also make an image using 'dd', but you'd have to have enough space to store the whole size of the partition, usually too large to consider.
I planned on making a forensic grab through a netcat listener with another machine or working from ramdisk with a bootdisk. Helix has foremost and fatback and one should show results. Many of the boot CDs have testdisk on them. I have a handful of DOS tools to fall back on if need be. I had forgotten about foremost. At this point all of the volatile data is gone and memory will hold little to no clues. I have no idea on the size of the drive and I know of no plans or requirements for doing a bitcopy of the drive. I've often had to rescue systems that had a broken fat or were accidentally deleted or repartitioned. This particular instance looks to have been more purposeful and perhaps even skillfully done. The IT department where the laptop owner works did the initial investigation and recovery attempt. If they guys IT department got a crack at the laptop, evidence collection requirements are probably mute. My impression is that the files were wiped with a file shredder or the partitions were reformatted. I'm supposed to find out today what the lawyer says.
My first thought would be to use an external program to clone the drive to another drive while in the presence of someone who could, if neccessary, say with authority that you did nothing more. I assume that cloning would not alter the original drive, leaving you to work with the clone while the lawyers keep track of the original.
My impression is that the files were wiped with a file shredder or the partitions were reformatted. I'm supposed to find out today what the lawyer says.
If they were shredded, then the chances of recovery are low, but if the partition was formatted, then the chances are high. The recovery tools don't care about partition, they can recover data based only on file headers.
Well, perhaps I should have said good, but it can also be taken to mean as best-known.
Fair enough. I was just wondering if "best" was the verdict of you comparing file carver results.
Originally Posted by kelly1369
I planned on making a forensic grab through a netcat listener
Whatever you think will be fastest. If it's a more or less recent and regular laptop it'll have between say 80GB and 320GB. Personally I'd hook up some Firewire or USB2 slave drive then use 'linen' from the HELIX CD because it can compress, checksum and chunk the image (and with libewf you can access or export from E01's easily). If it fails due to sector errors you'll still have dcfldd, ddrescue et cetera. Before you boot up you should inspect the machine, examine each slot (eject contents), check for anything "weird" or scratch marks. Remove the battery, attach the power adapter then boot up. It helps to know the default keys to access the BIOS (ESC, DEL, F2, etc) and if it boots to disk you can cut the power immediately. Take pictures of each BIOS screen, especially the time settings, device configuration, disk specs and passwords. After that force it to boot only from CDROM or DVD (cutting the power as it tries to boots the HD). But before you do (to avoid making assumptions or errors) ...
Originally Posted by kelly1369
I'm supposed to find out today what the lawyer says.
...it indeed would be good to get outlined by an authoritative person what you're supposed to do and who takes responsability for whatever it is you'll be doing.
After talking some more with the computer owner, I find that they do not own the computer as it is the assumed property of the to-be-exwife. They have the computer for a short period of time. It is no longer a laptop but a tower (no amenities such as monitor or keyboard). That being said, I'll probably have to clone the drive with dd. I agree that if a quality shredder has been used, it is pretty dismal for the recovery process. I personally am hoping it was a formatting attempt or simple deletion. The target information seems to be emails, address book, pictures, and temporary Internet files. I'm fairly well versed in forensic analysis of live systems, now I just have to play with a dead one. I talked with the lawyer and it appears that I need only make one copy and it is agreed that what we find on the copy will not be refuted. I'll probably do a hash of the original to verify if the original no longer matches the copy and its original state. I'm told I'm putting a couple of FBI guys out of work. Makes it worth my while.
One more note: while making assumptions based on what was learned and experienced is automagical, when performing forensic(-like) tasks there should be no place for assumptions, hearsay, impressions or whatever else. Rely only on on facts, record only factual information. At least that's what I learnt to do when performing forensics.
I haven't tried Linen. Sounds like good advice. The drive is rumored to be 200GB. I'll be inspecting the computer tomorrow and identifying, for myself, the actual drive dimensions and type. Once I have a drive to duplicate, I'll take custody of the drive. Full chain of custody seems to be in effect although I'm told once I make the copy of the original, the computer with original will be returned to the wife and she will begin using it normally again. It pretty much requires that the copy be maintained in original format and that I make two copies or that once the copy is made, there will be no write blocker requirements in effect. I'll make the lawyer choose that route. When I make the copy I'm going the external route and passing off the requirements of drive purchasing to the requester. He is saving $2K through the buddy system and can afford a hard drive. The sad thing here is that whatever I find won't change anything. They guy might find some closure or just find more pain. It isn't a criminal proceding so whatever is found is just leverage for what I believe to be is child custody. It takes a lot to pry custody away from the mother.
My job is to report what I found and not what I think I found or to speculate on what the meaning is of what I found. I would like the lawyer to determine the judge's feelings about computer evidence before I go down this road. Many a judge looks at computer files as hearsay and a lot never sees the court room. There may be a challenge on the reliability of the evidence as too the time frame and unknown persons that may have had contact with the system. Hopefully the judge will conclude that the data reflects that of the computer, declares it as original evidence and not secondary evidence or hearsay. There is plenty of room for a technicality to railroad the evidence getting presented in the court case. At the end of the day they are still getting divorced so a judge may look at it as immaterial.
Pen testers will use a special IDE cable, connecting it from their computer to the hard drive being examined. This cable will not allow any writes. They will then clone the entire drive and only work with the image. I don't know if a similar cable exists for sata disks. You might try investigating on the net. Maybe a jumper combination will disable writing to the drive.
I read of one case where someone forgot to seal the signed (or stamped) manilla envelopes and the drives fell out, ruining the value of the drives as evidence in court.