Undelete from MS-DOS/VFAT from Linux?

Andy Bair pab at korelogic.com
Fri Jul 18 07:04:50 EDT 2008


Ben,

You should look into the sleuthkit which has a bunch of tools that can
help you examine a disk image or file system.

  http://www.sleuthkit.org/sleuthkit/

Also, there's an older article below which describes using fls and icat
to pull out deleted files.

  http://www.sleuthkit.org/informer/sleuthkit-informer-14.html#recover

Let me know if that helps you and if you need any more help.

Andy

KoreLogic Security
603.465.3236 (Office)
603.340.2498 (Mobile)
http://www.korelogic.com
GnuPG Fingerprint: 688A 79EC B1E5 5748 CE87  1F20 2C45 60E7 0583 23B6

On Fri, Jul 18, 2008 at 01:55:56AM -0400, Ben Scott wrote:
>   I've got a FAT-formatted flash drive with a deleted file on it I'd
> like to get back.  I'm pretty sure the file is still there, just the
> directory entry for it is deleted. I'm wondering if anyone here has
> knowledge on this.
> 
>   I found "mundelete" on SourceForge, but it seems to have a serious
> case of software rot.  All I can get it to do is segfault.  Plus the
> docs stink and the code is a mess.
> 
>   I found reference to using fsck.vfat with the -u switch, but I get
> this, which looks bad:
> 
> Warning: Did only undelete 26 of 2529 clusters.
>   File size is 41428540 bytes, cluster chain length is 425984 bytes.
>   Truncating file to 425984 bytes.
> 
>   I'm not sure if that means the FAT chains have been lost, or just
> that fsck is confused.
> 
>   I dismounted the flash drive as soon as I realized the file was
> deleted, so I am expecting the FAT chains to be intact.  But maybe my
> luck is bad.
> 
> -- Ben
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20080718/a1f7d2ce/attachment.bin 


More information about the gnhlug-discuss mailing list