I need to read directly from hard disk device (really need to read /var partition)

I need to read directly from hard disk device (really need to read /var partition)

Post by Noa » Wed, 24 Jul 2002 16:24:08



I deleted some files. They are plain text and I'm prepared to
read directly from the disk partion to recover fragments and
attempt to manually stick them back together. The problem
is that the files were on /var (on my system /var is mounted
in /dev/wd0e). I tried to open ("/dev/wd0e", O_RDONLY), but I
got an error. I guess this is because the device is mounted on /var.
It would be inconvenient to unmount /var.
Is there a way I can read from the device without unmounting it?
Another option would be to mirror /dev/wd0e to another partition,
but I guess that would be the same as reading from it...

Ack! Am I screwed?

Yours,
Noah

 
 
 

I need to read directly from hard disk device (really need to read /var partition)

Post by Daniel Hartmeie » Wed, 24 Jul 2002 19:22:20



Quote:> It would be inconvenient to unmount /var.

The longer you leave it mounted, the higher the chances that the
deleted files will get overwritten, so I'd unmount the partition
immediately.

Quote:> Is there a way I can read from the device without unmounting it?

Yes, reading /dev/rwd0e (note the 'r' for raw) as root is possible
while the partition is mounted.

Daniel

 
 
 

I need to read directly from hard disk device (really need to read /var partition)

Post by Noa » Thu, 25 Jul 2002 08:32:10




> > It would be inconvenient to unmount /var.

> The longer you leave it mounted, the higher the chances that the
> deleted files will get overwritten, so I'd unmount the partition
> immediately.

> > Is there a way I can read from the device without unmounting it?

> Yes, reading /dev/rwd0e (note the 'r' for raw) as root is possible
> while the partition is mounted.

> Daniel

Cool, this worked.
Reading from '/dev/rwd0e' with the 'r' for raw
instead of   '/dev/wd0e' was the trick.
I was able to copy the entire partition to a file dump on
another bigger partition. Now I justneed to perform a
forensic investigation on the file to try to extract my files.

Now I will write a little filter script to extract text and then
try to build clumps of stuff that I'm interested in recovering
(Python source code).

Thanks for the 'r' raw tip.

Yours,
Noah

 
 
 

I need to read directly from hard disk device (really need to read /var partition)

Post by tedu » Thu, 25 Jul 2002 05:20:17



Quote:> Now I will write a little filter script to extract text and then
> try to build clumps of stuff that I'm interested in recovering
> (Python source code).

There's a forensic toolkit that does that.  by wietse venema and dan
farmer i think.  ahh, here
www.porcupine.org/forensics/tct.html

--
If you ever would give them a helping hand,
You can be sure they'll chop off the arm.
Never, ever, never trust a Klingon; you will always regret it.

 
 
 

I need to read directly from hard disk device (really need to read /var partition)

Post by Noa » Thu, 25 Jul 2002 19:13:23




> > Now I will write a little filter script to extract text and then
> > try to build clumps of stuff that I'm interested in recovering
> > (Python source code).

> There's a forensic toolkit that does that.  by wietse venema and dan
> farmer i think.  ahh, here
> www.porcupine.org/forensics/tct.html

Apparently I could also have used 'dd' to dump the partition...

TCT was not very useful. It didn't do much more than my 20 line C program.
But from TCT I did find a tool called called TASK which is based on TCT.
When used with another tool called "Autopsy Forensic Browser"
this combination comes close to doing everything I want.
    http://www.atstake.com/research/tools/task/
    http://www.atstake.com/research/tools/autopsy/index.html

I'm going to have a filter that searches for common Python keywords
and when it finds a match it will save a 1K block before and after the
keyword to a file. I will still have to sort through the segments
and figure "unshred" them by hand... Maybe I will number them
and print them on paper and sort them on the kitchen table.
It will be like a little game :-)

Thanks,
Noah

 
 
 

1. Need help reading and writing Solaris disk/partition

I have a Sun Sparcstation 2 running some unknown version of Solaris.
The owner does not know the root password.  I do not have access to a
Solaris CD and the Sparcstation is not on a network.

I need to change the /etc/passwd file and remove the root password.

[ I have access to i86 (386/486/586) PC's and several Linix
distributions (Redhat 5.2-6.0, Debian, SuSe 5-6.3, & and old version of
Slackware).  And have access to SCSI cards and cabeling to physically
connect the "Sun" drive. ]

Please suggest which version/distribution of Linix (if any) I should
load and attempt this feat.
                                -thanx in advance

* Sent from RemarQ http://www.remarq.com The Internet's Discussion Network *
The fastest and easiest way to search and participate in Usenet - Free!

2. Maxtor Drives on a uVax- Would you do it?

3. Need HELP to read MODEM STATUS REGISTER DCD/CTS directly

4. Mozilla + enigmail + RH8

5. (Pleas Read) Problems partitioning hard disk...

6. Konqueror mp3 lame using audiocd:/

7. Using read to read from and Env var

8. Broadcasting Help? Does not seem to work!

9. How to set/read serial device pins directly

10. How can I read more than 4kb directly from a block device?

11. How to set/read serial device pins directly

12. HELP: Need to read an Amiga Hard Drive on PC Linux

13. Need help on Re-partition the hard disk.