Restore files / Image acquisition 101
First of all lets acquire the image of the disk in question so we can recover the files.
Boot your backtrack disk (usb or disk does not matter that much) and load up the Forensics mode (no disk no swap)
Check out to see what disks/partitions we got
Get the images from both partitions and transfer them to the workstation where you will be doing the work.
dcfldd if=/dev/sda2 | ssh username@hostname "dd of=/path/on/the/remote/machine/image2.img"
Now lets make the images to VMware disks
or
Now they can be loaded into VMware and files can be restored using:
Diskdigger (needs licence)
Recuva (free)
FreeRecovereer (free)
File Scavanger (needs licence)
Stay tuned :)
Boot your backtrack disk (usb or disk does not matter that much) and load up the Forensics mode (no disk no swap)
Check out to see what disks/partitions we got
dmesg | grep sd
Get the images from both partitions and transfer them to the workstation where you will be doing the work.
dcfldd if=/dev/sda1 | ssh username@hostname "dd of=/path/on/the/remote/machine/image1.img"
Now lets make the images to VMware disks
qemu-img convert -f raw /storage/data/recover/sda1.img -O vmdk /storage/data/recover/vmware-sda1.vmdk
wget "http://downloads.sourceforge.net/project/raw2vmdk/raw2vmdk-0.1.3.1-jar.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fraw2vmdk%2F&ts=1337595038&use_mirror=kent"
tar -zxvf raw2vmdk-0.1.3.1-jar.tar.gz
rm -rf raw2vmdk-0.1.3.1-jar.tar.gz
cd raw2vmdk-0.1.3.1-jar
java -jar raw2vmdk.jar /storage/data/recover/sda2.img /storage/data/recover/vmware-sda2.vmdk
Now they can be loaded into VMware and files can be restored using:
Diskdigger (needs licence)
Recuva (free)
FreeRecovereer (free)
File Scavanger (needs licence)
Stay tuned :)
