ZFS deleted files r...
 
Notifications
Clear all

ZFS deleted files recovery

12 Posts
6 Users
0 Likes
3,183 Views
(@mazenx)
Posts: 1
New Member
Topic starter
 

Need help with finding tools to recover deleted files or recover deleted files metadata only on ZFS file system. The Sleuth Kit doesn't support ZFS as far as I know. The tool better to run on solaris, because storage is in tens of TB and taking image is not option.

 
Posted : 27/05/2016 1:23 pm
(@eugene_777)
Posts: 22
Eminent Member
 

I have the same problem. I need to recover deleted files. I have ZFS pool amount 6TB. I created images of hard disks, connected in FTKImager and added to virtual box. Then run virtual box. OS was load and i could see data. But I don't know how to create image from zfs pool and examine it in FTK or X-way.

 
Posted : 02/07/2017 2:18 am
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Can you make a physical copy of the hard drive? If yes, i would use FreeBSD to recover the files. FreeBSD speaks ZFS and you can compile foremost and scalpel from source easily. Or use the precompiled binary from the packages. dd should be your friend to create a raw dd file from ZFS, if you want to analyse it in any other operating system. /etc/fstab will be helpful to mount the external drive in ro mode.

This would be my path to a possible recovery. And i would check if X-Ways Forensic can handle the ZFS file system.

Good luck!

 
Posted : 02/07/2017 6:32 pm
(@eugene_777)
Posts: 22
Eminent Member
 

I don`t know, but I seem that UFS Explorer doesn't work with zfs partition?

 
Posted : 02/07/2017 6:48 pm
(@eugene_777)
Posts: 22
Eminent Member
 

Bunnysniper, I'm not be able to do physical copy of hard disk. But i have made files images as i wrote above and load their in virtual box. How i can do dd image all zpool and move this image on my phisical machine?

What is differnts my method from you?

 
Posted : 02/07/2017 7:01 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

What is differnts my method from you?

I would use FreeBSD for file carving. It understands ZFS and u can use open-source file carving software. As i understand u want to recover files and it would do it with FreeBSD.
best regards,
Robin

 
Posted : 03/07/2017 6:20 pm
UnallocatedClusters
(@unallocatedclusters)
Posts: 577
Honorable Member
 

1. Download FreeBSD .ISO file from here https://download.freebsd.org/ftp/snapshots/amd64/amd64/ISO-IMAGES/12.0/

2. Install the downloaded .ISO file to a USB drive to create a Live USB using PenDriveLinux https://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/

OR

2. Purchase a FreeBSD DVD or USB drive with FreeBSD already installed from OSDISC https://www.osdisc.com/products/freebsd

OR

2. Burn the FreeBSD .ISO file to a DVD

3. Boot the DVD to FreeBSD in your Virtual Box software

OR

4. Boot your forensic workstation to FreeBSD using the DVD or Live USB drive

Use the tools with FreeBSD as described by BunnySniper

 
Posted : 03/07/2017 8:28 pm
(@eugene_777)
Posts: 22
Eminent Member
 

Bunnysniper, UnallocatedClustersI installed FreeBSD on Virtual Machine, but what's next?
I connected my images to my VM. I was trying mount zpool but OS refused it, because zpool has the same mounting point as FreeBSD (e.g. zpool has the mount point zpool/var and FreeBSD has the mount point /var). Before I was trying same actions, but I was using Ubuntu. I changed one parameter and Ubuntu agree to mount my zpool but I got to mix, because data of zpool mixed with data of folder Ubuntu (e.g. zpool mount point zpool/var mixedthe mount point /var of Ubuntu). I hope we got me.

How to right connect zpool that zpool didn't has a changes? Which are tools to use for repair deleted data? How to do the image zpool that it be possible to exam on, for example, X-way?

Clarify these question for me, please. Generally, I got what I need to do, but I need to know more exactly, because I'm a little confused.

Thanks in advance for your help.

 
Posted : 15/07/2017 7:24 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Bunnysniper, UnallocatedClustersI installed FreeBSD on Virtual Machine, but what's next?

It seems to me like Unallocated Clusters suggested a Live DVD/USB stick and not an install. ?

jaclaz

 
Posted : 15/07/2017 9:48 pm
(@eugene_777)
Posts: 22
Eminent Member
 

Bunnysniper, UnallocatedClustersI installed FreeBSD on Virtual Machine, but what's next?

It seems to me like Unallocated Clusters suggested a Live DVD/USB stick and not an install. ?

jaclaz

Yes, it's. But what is different, whether I will use Live DVD/USB stick with FreeBSD or it will install FreeBSD on separate virtual disk?

 
Posted : 16/07/2017 11:40 am
Page 1 / 2
Share: