Very Computer

Hi there,

Whe are working on a case to detect fraud where the Unix sysadm presumably
covered his tracks by deleting the log files. Could someone please tell me
if there is a way to recover the log files or the reconstruct the inodes or
something presuming that the data on the ard drive has not been overwritten
with zero's. We are in possession of the hard drive.

Thanks

Jaco Cloete

Hi,

well it really depends. Theoretically, no, it's not possible. In practice,
it might be.

The first thing to identify is what sort of Unix we're talking about...

The second thing is, what sort of tools do you have available?

The reason I ask is, if you have the time and the tools to do it, you could
probably boot from a MS-DOS (!) floppy, and run Norton Utilities Disk
Editor. Access the drive as a physical unit, and then theoretically anything
actually on the drive that hasn't been overwritten will be there - once you
find it of course... I'd suggest searching for a string that'd likely appear
in the syslog normally.

If you were feeling really ambitious, you might be able to manually
reconstruct the inodes. Just don't ask me to do it :)

regards
Chris
Brainbench MVP for Internet Security

Quote:> Hi there,

> Whe are working on a case to detect fraud where the Unix sysadm presumably
> covered his tracks by deleting the log files. Could someone please tell me
> if there is a way to recover the log files or the reconstruct the inodes
or
> something presuming that the data on the ard drive has not been
overwritten
> with zero's. We are in possession of the hard drive.

> Thanks

> Jaco Cloete

There are in fact several things you may be able to do.  The very
first, if you haven't done it already, is to unmount the partition
concerned and ensure that it isn't used on a live system again until
you have either recovered the data or satisified yourself that it's
unrecoverable.

Having done that, you will want to employ a tool that understands the
particular filesystem you are using, and is able to retrieve
unattached inodes.  On Linux, debugfs is the tool you want.  See its
man page for details of use.

You may find the filesystems HOWTO useful at:

http://metalab.unc.edu/pub/Linux/docs/HOWTO/Filesystems-HOWTO

All the best,

Julian Midgley

--
Julian Midgley

Zeus Technology Ltd                     http://www.zeus.com

What?! Assuming there haven't been any modifications to the
filesystem, theoretically it's trivial. Possible solutions include:

1. Reading the device directly, and assembling the unallocated pieces
   by hand.
2. Reading/Writing the device and relinking interesting blocks by hand.
3. Reading the device directly, and relinking interesting inodes.
3. Using actual software, and following the directions.

[Horrible Dos suggestion snipped]

Quote:> If you were feeling really ambitious, you might be able to manually
> reconstruct the inodes. Just don't ask me to do it :)

Indeed, given that it's somewhat important to recover the data I
suggest you either hire a competant consultant for a day, or employ a
reputable data-recovery firm.

--

It doesn't have to be.  Indeed, as you say, recovering log files are greatly
simplified by the regularity of the time stamps.  I'd suggest using unrm and
lazarus to try and recover the stuff (from TCT); depending on how the files
were killed off, how long ago it was, and what has happened since, you
have a decent chance of getting something:

        http://www.fish.com/tct
        http://www.porcupine.org/forensics

-- d