Some files recovered, next problem (ot)
Pamisano
pamisano at earthlink.net
Fri Jun 11 12:34:32 CDT 2004
I know this probably is not an option due to price, but FTK, Forensic
Toolkit, is great for recovering email.
http://www.accessdata.com/Product04_Overview.htm
It is one of the best tools I have used for recovering emails. It is,
unfortunately, winblows based. The real unfortunate thing is that the best
forensic suites are windows, i.e., EnCase, FTK, iLook.
There is SMART by ASR Data, which is a linux based tool, but I don't have a
lot of experience with it.
...there is always diskedit :)
--
There's a war out there, old friend. A world war. And it's not about who's
got the most bullets. It's about who controls the information.
--------- Original Message --------
From: Jim Herrmann <kclug at ItDepends.com>
To: kclug <kclug at kclug.org>
Subject: Some files recovered, next problem
>
> OK, thanks to The Coroner's Toolkit (tct) I have recovered a few files.
> Here's how it went, then I'll describe the next problem. Thank you for
> bearing with me.
>
> I used the "unrm" program to extract the first 1.9G of
unallocated
> space. It would have done all 29G of unallocated space, but then
> lazarus would have had a problem with too big a file. I figure if I can
> manage to get the first 2G and do something with it, we'll be happy.
> So, that was pretty quick then I started lazarus on the 2G file last
> night about 11:00 p.m. I came home and checked it at about 7:00p.m. and
> it was still running. I checked it again at about 9 and it had
> finished. 29734 files! The files are in a directory called
"blocks".
> It also generates a few HTML files that help navigate the mess. It
> tries to identify files as text, mail, html, c code, binary, image, and
> some more. The problem with modern mail is, of course, it's really hard
> to tell the mail from the html and the images. Be that as it may, if I
> could just get the mail back, it would be a start.
>
> So, I'm trying to run a perl script that comes with tct called rip-mail,
> which tries to make readable mail files out of the lazarus mess. When
> I do I get the following:
>
> linux:/home/jim/Downloads/tct-1.14 # perl
> ../lazarus/post-processing/rip-mail blocks/*.m.txt
> bash: /usr/bin/perl: Argument list too long
>
> Which I'm guessing means there are too many files from the directory.
> rip-mail works when I specify just one or two files. The thought of
> going through 29,000+ files by hand seems ludicrous to me. Plus I'm
> sure it's not necessary, if I only knew how to proceed. I think the
> rip-mail will work best if I run the list of file names, space delimited
> into the script.
>
> Wait, now I see that ls doesn't like this either:
>
> jim at linux:~/Downloads/tct-1.14/blocks> ls *.m.txt
> bash: /bin/ls: Argument list too long
>
> This should be an easier problem for you linux gurus to solve. Why
> can't I list this directory. Remember that there are 29734 directory
> entries. I know because I can list the whole thing, but not with a mask.
>
> Thoughts to the list for all to learn, please. Plus that helps
> eliminate duplicate answers.
>
> Thanks so much,
> Jim
>
>
>
>
>
>
________________________________________________
Message sent using UebiMiau 2.7.2
More information about the Kclug
mailing list