Logo 
Search:

Unix / Linux / Ubuntu Answers

Ask Question   UnAnswered
Home » Forum » Unix / Linux / Ubuntu       RSS Feeds
  on Nov 27 In Unix / Linux / Ubuntu Category.

  
Question Answered By: Adah Miller   on Nov 27

I'm no expert, but my understanding is that the superblock contains the
information about the filesystem like which locations on the disk the files
reside. This is the data that gets erased, and the locations of your old
files are just marked as unused so new files can write over them. The data
may still be there, it's just going to take some work to get it and you may
not get all of it. I don't know how big the drive is but you can use 'dd'
to make a bit for bit copy of the drive (you're going to need another drive
at least as big to hold the image file) so you can work on the computer or
just DONT DO ANYTHING on the computer as this will potentially overwrite the
data you want to get to. There is a set of programs called the Coroner's
toolkit that may help. Backtrack4 has a bunch of forensics tools too.
There are also programs that you can buy that may help. Keep us posted
though, I'm sure there is someone out there with some forensics experience.

Share: 

 

This Question has 16 more answer(s). View Complete Question Thread

 
Didn't find what you were looking for? Find more on undelete?? Or get search suggestion and latest updates.

Related Topics:

Tagged: