Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-29-2005, 09:26 PM
|
#1
|
Senior Member
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430
Rep:
|
How can I view delete files?
How can I view delete files? If that space has not been overwritten yet.
|
|
|
07-29-2005, 09:43 PM
|
#2
|
LQ Guru
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 10,881
|
As far as I am aware, no Unix filesystem provides "undelete" capability. Sorry.
|
|
|
07-29-2005, 09:45 PM
|
#3
|
Senior Member
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430
Original Poster
Rep:
|
How does the FBI do it then?
Surely the data is still on the drive immediately after the file was deleted.
Is there an open source software package that lets me view files (data on the drive) not listed with the ls command?
|
|
|
07-29-2005, 09:59 PM
|
#4
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Checkout the forensics section in security references thread. There are a number of links on "undeletion" including a number of tools used in forensic file recovery. Ease of recovery depends alot on your type of filesystem and some of the tools are less than user-friendly, so your mileage may vary.
|
|
|
07-29-2005, 10:11 PM
|
#5
|
Member
Registered: May 2004
Location: UK
Distribution: Gentoo
Posts: 293
Rep:
|
|
|
|
07-30-2005, 09:32 AM
|
#6
|
Member
Registered: Dec 2001
Location: Portugal
Distribution: /Red Hat/Fedora/Solaris
Posts: 622
Rep:
|
Howzit
The easiest way to explain this is in the following manner. Imagine a filing cabinet and in each draw u have a indexer so that you are able to find the location of the file. When u delet a file it removes the indexer therefore the file still remains on disk. When you copy a new file onto the system because that area is no longer marked by the indexer the file may be copied to the same area and if that happens then the file is lost for good. If the file gets copied to another area then the original data still remains in that area which then with special tools you are able to recover that data from the disk.
Hope this helps
Cheers
Tony
|
|
|
07-30-2005, 10:37 AM
|
#7
|
Senior Member
Registered: Feb 2004
Location: lost+found
Distribution: CentOS
Posts: 1,430
Original Poster
Rep:
|
Which one has the best interface to view a windows harddrive?
Has anyone used:
http://www.sleuthkit.org/autopsy/download.php
|
|
|
07-30-2005, 05:11 PM
|
#8
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Depends on what you prefer, but Autopsy has a GUI interface and has support for NFTS and FAT partitions. TCT would go under "not particularly user-friendly". Here's also a brief review of it (Autopsy):
http://www.informit.com/guides/conte...eqNum=107&rl=1
|
|
|
All times are GMT -5. The time now is 05:26 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|