Undelete from MS-DOS/VFAT from Linux?
Andy Bair
pab at korelogic.com
Fri Jul 18 07:04:50 EDT 2008
Ben,
You should look into the sleuthkit which has a bunch of tools that can
help you examine a disk image or file system.
http://www.sleuthkit.org/sleuthkit/
Also, there's an older article below which describes using fls and icat
to pull out deleted files.
http://www.sleuthkit.org/informer/sleuthkit-informer-14.html#recover
Let me know if that helps you and if you need any more help.
Andy
KoreLogic Security
603.465.3236 (Office)
603.340.2498 (Mobile)
http://www.korelogic.com
GnuPG Fingerprint: 688A 79EC B1E5 5748 CE87 1F20 2C45 60E7 0583 23B6
On Fri, Jul 18, 2008 at 01:55:56AM -0400, Ben Scott wrote:
> I've got a FAT-formatted flash drive with a deleted file on it I'd
> like to get back. I'm pretty sure the file is still there, just the
> directory entry for it is deleted. I'm wondering if anyone here has
> knowledge on this.
>
> I found "mundelete" on SourceForge, but it seems to have a serious
> case of software rot. All I can get it to do is segfault. Plus the
> docs stink and the code is a mess.
>
> I found reference to using fsck.vfat with the -u switch, but I get
> this, which looks bad:
>
> Warning: Did only undelete 26 of 2529 clusters.
> File size is 41428540 bytes, cluster chain length is 425984 bytes.
> Truncating file to 425984 bytes.
>
> I'm not sure if that means the FAT chains have been lost, or just
> that fsck is confused.
>
> I dismounted the flash drive as soon as I realized the file was
> deleted, so I am expecting the FAT chains to be intact. But maybe my
> luck is bad.
>
> -- Ben
> _______________________________________________
> gnhlug-discuss mailing list
> gnhlug-discuss at mail.gnhlug.org
> http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20080718/a1f7d2ce/attachment.bin
More information about the gnhlug-discuss
mailing list