mount slave drive

Lennart Sorensen lsorense-1wCw9BSqJbv44Nm34jS7GywD8/FfD2ys at public.gmane.org
Tue Sep 18 18:37:05 UTC 2007 

On Tue, Sep 18, 2007 at 01:32:14PM -0400, Chris Aitken wrote:
> Where do I find this "/tmp" file (I know where the /tmp directory is, of 
> course) and what hex editor might I have on a fedora 7 box? Opening, 
> editing, saving and closing a config file in vi is the extent of my 
> dabbling...

Ehm, the /tmp/sdb.scan made by the dd.

> [root at p733 chris]# dd if=/dev/sdb of=/tmp/sdb.scan bs=512 count=100 
> skip=126;file /tmp/sdb.scan
> 100+0 records in
> 100+0 records out
> 51200 bytes (51 kB) copied, 2.50463 s, 20.4 kB/s
> /tmp/sdb.scan: data

Not sure how many jumps up (by one track at a time) is worth trying.

> .ogg music files, and eighty-plus image files of self-portrait-a-day a 
> friend did while waiting for a liver transplant (for the last eighty 
> -plus days of his life) that never happened. This is not as terrible as 
> it sounds - I think his widow has put out a book of the prints of the 
> paintings - I don't think she'd re-send me the original emails with the 
> eighty-plus attachments, but I could get the book if I really wanted. 
> The songs are more important (or more urgent) because I use them in my 
> guitar instruction. I could start re-building the collection from my 
> students (by ripping/burning them from their CDs) but I'm finding that 
> more and more they are using mp3s which I'm hoping not to have to get 
> into. Also, I never was able to get limewire working under linux - hence 
> my dependence on ripping/burning CDs.

Hmm, well it might be possible to search for the files on the disk.

Some tools maybe worth trying:

Package: foremost
Priority: optional
Section: admin
Installed-Size: 92
Maintainer: G<C3><BC>rkan Seng<C3><BC>n <gurkan-2Ut+nkrRcIBypLqBFPtG/w at public.gmane.org>
Architecture: i386
Version: 1.3-1
Depends: libc6 (>= 2.3.6-6)
Filename: pool/main/f/foremost/foremost_1.3-1_i386.deb
Size: 40680
MD5sum: ef0dc0508bc9bbc89901f0c0843a1c85
SHA1: 60ee132160df5e0f8d471a6efa1c12b992540154
SHA256: 5691418c1ffe697990f1e631a5476242234e655cc74ef45281b752c99b86ad88
Description: Forensics application to recover data
 foremost is a console program to recover files based on their
 headers and footers for forensics purposes.
 .
 foremost can work on disk image files, such as those generated by dd, Safeback,
 Encase, etc, or directly on a drive. The headers and footers are specified by
 a configuration file, so you can pick and choose which headers you want to
 look for.
 .
  Homepage: http://foremost.sourceforge.net/
Tag: admin::recovery, hardware::storage, interface::commandline, role::program, scope::utility, security::forensics, use::scanning

Package: sleuthkit
Priority: optional
Section: admin
Installed-Size: 5876
Maintainer: Martin A. Godisch <godisch-8fiUuRrzOP0dnm+yROfE0A at public.gmane.org>
Architecture: i386
Version: 2.06-3
Depends: libc6 (>= 2.3.6-6), libgcc1 (>= 1:4.1.1-12), libssl0.9.8 (>= 0.9.8b-1), libstdc++6 (>= 4.1.1-12), zlib1g (>= 1:1.2.1), file, libdate-m
anip-perl
Filename: pool/main/s/sleuthkit/sleuthkit_2.06-3_i386.deb
Size: 2167642
MD5sum: 98f1953c128faffcfccbb13250bb3344
SHA1: f0987595b45a93a611560d4ce51898c189c129d7
SHA256: bf4ddd7eba421c5b3e48d5e82bfd59d07181e4f517df2d75c9c88e4aaa2f034f
Description: Tools for forensics analysis
 The Sleuth Kit (previously known as TASK) is a collection of UNIX-based
 command line file system and media management forensic analysis tools.
 The file system tools allow you to examine file systems of a suspect
 computer in a non-intrusive fashion. Because the tools do not rely on
 the operating system to process the file systems, deleted and hidden
 content is shown.
 .
 The media management tools allow you to examine the layout of disks and
 other media. The Sleuth Kit supports DOS partitions, BSD partitions
 (disk labels), Mac partitions, and Sun slices (Volume Table of
 Contents). With these tools, you can identify where partitions are
 located and extract them so that they can be analyzed with file system
 analysis tools.
 .
 When performing a complete analysis of a system, we all know that
 command line tools can become tedious. The Autopsy Forensic Browser is
 a graphical interface to the tools in The Sleuth Kit, which allows you
 to more easily conduct an investigation. Autopsy provides case
 management, image integrity, keyword searching, and other automated
 operations.
 .
 The Sleuth Kit's upstream homepage can be found at
 http://www.sleuthkit.org/sleuthkit/.
Tag: admin::forensics, interface::commandline, role::program, scope::utility

Package: autopsy
Priority: optional
Section: admin
Installed-Size: 1376
Maintainer: Lorenzo Martignoni <martignlo-8fiUuRrzOP0dnm+yROfE0A at public.gmane.org>
Architecture: all
Version: 2.08-1
Depends: sleuthkit (>= 2.00-1), perl, binutils
Filename: pool/main/a/autopsy/autopsy_2.08-1_all.deb
Size: 379390
MD5sum: 6d2684e8c2995c701c694d2be34881f5
SHA1: 6c69fa071e730deee1bf6dc64400e93301d142a8
SHA256: 342c2c5b52644c087d4234adc58a20bf520607aea3f8e065423839a6322b762f
Description: graphical interface to SleuthKit
 The Autopsy Forensic Browser is a graphical interface to the command line
 digital forensic analysis tools in The Sleuth Kit. Together, The Sleuth Kit
 and Autopsy provide many of the same features as commercial digital forensics
 tools for the analysis of Windows and UNIX file systems (NTFS, FAT, FFS,
 EXT2FS, and EXT3FS).
Tag: interface::commandline, role::program, scope::utility, security::forensics

Package: magicrescue
Priority: optional
Section: utils
Installed-Size: 316
Maintainer: Varun Hiremath <varunhiremath-Re5JQEeQqe8AvxtiuMwx3w at public.gmane.org>
Architecture: i386
Version: 1.1.4-3
Depends: libc6 (>= 2.3.6-6), libgdbm3
Filename: pool/main/m/magicrescue/magicrescue_1.1.4-3_i386.deb
Size: 82626
MD5sum: ec071aa7f908e707f599d7e996117b45
SHA1: 691b362924cecba95c703d4c4311d587e21a9816
SHA256: 17d3bd24434bec7251a4d5ce58c99ef23064cb7efbccef6a06c2c1c1189a9ebd
Description: recovers files by looking for magic bytes
 Magic Rescue scans a block device for file types it knows how to recover
 and calls an external program to extract them. It looks at "magic bytes"
 in file contents, so it can be used both as an undelete utility and for
 recovering a corrupted drive or partition. As long as the file data is
 there, it will find it.
 .
  Homepage: http://jbj.rapanden.dk/magicrescue/
Tag: admin::filesystem, admin::recovery, implemented-in::c, interface::commandline, role::program, scope::utility, use::scanning, works-with::f
ile

Maybe one of those can find your files.

--
Len Sorensen
--
The Toronto Linux Users Group.      Meetings: http://gtalug.org/
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://gtalug.org/wiki/Mailing_lists

More information about the Legacy mailing list