On Thu, Jun 27, 2024 at 02:49:07PM -0600, Andy Bradford wrote:
> Thus said Anon Loli on Thu, 27 Jun 2024 04:12:57 -0000:
>
> > No kidding? The 1st few people made it sound like it's going to be
> > relatively easy :(
>
> I don't think anyone said it was going to be easy, only that your
> primary focus should be simply to get a good copy of the raw unencrypted
> partition while it was still available using simple techniques as
> quickly as possible.
>
> If you have obtained it, your next goal should be to figure out now what
> to do with it. As I understand it, you wrote 74MB of garbage at the
> front of that partition. This will have undoubtedly destroyed filesystem
> metadata and some other data. Can the filesystem be "recreated" in the
> first 74MB as just empty filesystem space while leaving the rest of the
> existing data and filesystem in tact? I don't know the answer to that.
> Maybe there is someone with more FFS experience that does. Presumably
> you know the exact size of the partition and so could at least recreate
> an empty filesystem using newfs with the same parameters. Could it
> possible to then stich in or reattach chunks of data into this from your
> copy? Again, I don't know. Who does?
>
> Any work you do at recovery should be done on yet another copy of the
> same data so that you can keep one "master" copy around just in case.
>
> Some tools for recovering files can be found in packages like sleuthkit
> and testdisk. There may be others of which I'm unaware.
>
> Andy
>
I'll see what I can do with Sleuth Kit, thanks!
No comments:
Post a Comment