Archive for December, 2010

File recovery

Wednesday, December 22nd, 2010

So someone left us with a corrupt USB stick at work a couple of days ago, no joy with that, but she had a USB stick which was still working which she had deleted the same data off recently, and it hadn’t been used since.
After a crapload of mucking around and a lot of reference to

I combined elements of all the above to the following script which recovered most of the deleted files.

The main trick was the arguments on icat – I was confused for a while because it was finding all the files, but only creating 4kb of them. Turns out I needed the -r -a arguments.

Script is below, run on a file created by the following command

# The -r argument is used to recover only deleted files
ils -r /media/Images/USBImage | awk -F '|' '{print $1}' > /tmp/inodes

# This was due to taking the raw disk data rather than just the partition
# The offset was found using autopsy - part of sleuth tools, used for this.
imgargs=" -f fat -o 63 ${imgpath} "

for inode in $(cat /tmp/inodes) ; do

	ffind ${imgargs} $inode

	if [ $? -eq 0 ]
		echo "INODE: $inode"
		INODEDIR=$(ffind ${imgargs} $inode | awk -F "* " '{print $2}')
		REALDIR=${outpath}$(dirname -- "$INODEDIR")
		mkdir -p "$REALDIR"
		# I found this worked better than the method used by one of the links
		# to create directories. What happens is a directory inode may create
		# a file if a later file tries to write to a directory which IS a
		# file, the file is removed and the directory is created instead
		if [ $? -eq 1 ]
			rm -R "${REALDIR}"
			mkdir -p "${REALDIR}"

		#echo "${imgargs} $inode > $FILENAME"
		icat -r -s ${imgargs} $inode > "$FILENAME"

		echo ""