±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35530
New Yesterday: 7 Visitors: 124

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Data recovery 101 Question on XFS partition

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

honor_the_data
Newbie
 

Data recovery 101 Question on XFS partition

Post Posted: Mar 15, 19 01:17

I'm working on a case where I need data from logs files that have rolled off a Linux server because log retention is 30 days and the server was compromised at least 35 days before the issue was discovered. There are no backups and logs were only stored locally, so as far as I know the only remaining option for pinpointing how the attacker got it is to try and recover older logs.

I had the sysadmin create an image of the XFS partition (/dev/mapper/sdc2-root) that contained /var/log and loaded up the image in EnCase 8.08. I'm puzzled because I am not seeing any recover options in processing menu.

1) Do I need an image of the entire disk, rather than just the partition, in order to attempt data recovery?
2) Has anyone trying this with XFS and EnCase 8?
3) Any other suggestions for other tools I should try?  
 
  

watcher
Senior Member
 

Re: Data recovery 101 Question on XFS partition

Post Posted: Mar 15, 19 02:35

I've never worked with XFS. I'm not aware that Encase handles XFS.

Now that I've established that I have not done this, the approach I would start with is:

Try running PhotoRec against the partition. Contrary to it's name and roots, it's a very capable general purpose file carver. More importantly, it is not dependent upon the file system and may be able to recover files from XFS.

Similarly, Bulk Extractor may be able to pull things out of unknown file systems.

There is a Chinese company that advertises tools for XFS, Salvation Data

Good luck, and let us know the outcome!  
 
  

jaclaz
Senior Member
 

Re: Data recovery 101 Question on XFS partition

Post Posted: Mar 15, 19 10:53

- watcher
I've never worked with XFS.

And that makes two of us.

@honor_the_data
Generally speaking, you are exiting the "forensics" and entering the "data recovery" realm, so you will be better served by looking for "recovery" programs/tools and not "forensic" ones.

The SalvationData blog explaining some basics is this one:
blog.salvationdata.com...le-system/

Photorec is an exceptionally good tool, and it is worth a try, though as with most file based tools it is likely that you will get (some) content losing filesystem metadata and file names/date, so that it may be "enough" or "not enough" for your actual scope.

You may want to try also the "old" Raise Data Recovery (I believe it is a a read-only-until-registered):

Trial limitations:

The software copies files with the size under 256KB;



www.ufsexplorer.com/ra...ry-xfs.php
www.sysdevlabs.com/pro...amp;os=win

and if it works for the smaller files and "sees" the larger ones, get the "current" version.

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

mscotgrove
Senior Member
 

Re: Data recovery 101 Question on XFS partition

Post Posted: Mar 17, 19 04:01

In theory, it is not possible to recover deleted XFS

With my cnwrecovery.com I have had some success. The program does make guesses as to what an iNode points to, so sometimes works, and sometimes fails.

You need to use the mode to scan all iNodes - can take a few hours with a large drive

If you require file names and dates, it is worth try with the demo (saves logs, but no files). I you just want simple, unfragmented files, file carving is a possible way forward.
_________________
Michael Cotgrove
www.cnwrecovery.com
www.goprorecovery.co.uk 
 
  

minime2k9
Senior Member
 

Re: Data recovery 101 Question on XFS partition

Post Posted: Mar 17, 19 20:47

Again never has an XFS partition, however X-Ways does support it:
www.x-ways.net/forensics/

If they support it, I'm pretty sure you can carve files using it!  
 
  

hommy0
Senior Member
 

Re: Data recovery 101 Question on XFS partition

Post Posted: Mar 18, 19 12:12

EnCase 8.08 has listed support for XFS, however I have never worked with this file system.

What are you seeing in EnCase, when you say "I am not seeing any recover options in processing menu"

Also do you have any folder structure displayed within EnCase?

Regards  
 
  

honor_the_data
Newbie
 

Re: Data recovery 101 Question on XFS partition

Post Posted: Mar 18, 19 17:28

- hommy0
EnCase 8.08 has listed support for XFS, however I have never worked with this file system.

What are you seeing in EnCase, when you say "I am not seeing any recover options in processing menu"

Also do you have any folder structure displayed within EnCase?

Regards


I see the file structure in EnCase and can access the allocated folders/files just like in a typical case (can click through folders, reac contents of log files, share the data to the examiner host system, etc.).

Because of this, I know that EnCase 8.08 does support XFS, at least to some extent.

i am currently running the file carver to see if anything can be carved out from the partition.  
 

Page 1 of 2
Page 1, 2  Next