Datarecovery ext3 partition

Portal Home > Knowledgebase > Articles Database > Datarecovery ext3 partition

Posted by dennisstorm, 12-29-2011, 05:59 AM
Hi all! At the moment i'm working on a bit of datarecovery. On a XenSource environment a disk image spontaniously got "lost". We use DD'd images with a full partition structure on it. After an analysis with The Sleuth Kit, Autopsy and ext3grep I found the following (see attached screenshot from Autopsy) The file "disk.img" is marked as deleted, however, there's no modificationtime or metadata leftover to be found (not even a realloc target). When looking at other deleted files on the same partitition it is *always* the case that there is realloccated metadata to be found, no excption. Out of the superblock backups I found the inode which was linked to the file, and found the block which we're assigned to the file (direct blocks, indirect blocks, double indirect blocks en triple indirect blocks). As far as I can see these block haven't been reused yet, so there shoud be data in there I DD'd and concatenated the blocks together an found a partitiontable (same size as the lost disk image). However, I haven't been able to read the other blocks within the image. Photorec can find a whole bunch of files, but they're absolutely unusable when trying to restore everything to a working position, because it doesn't use the original file and directory structures/names. Does anyone have any idea how to move this along, if there are other tools which I haven't tried yet? I could send everything to an external data recovery company, but since the prices of this are very high it isn't our first choice. Any help/ideas/tips would be greatly appreciated! Attached Thumbnails