Undelete with Sleuthkit
Wrote a little Bash script using Sleuthkit tools to recover a deleted file from a partion. Tested the script with ext2 and fat32 filesystems.
Setup a test image:
dd if=/dev/zero of=image bs=1k count=8192 mkfs.ext2 image mount -o loop image /mnt/image cp something /mnt/image rm /mnt/image/something sync umount /mnt/image
Now you can start the script to find a token of the deleted file:
./find.sh image “Test”
The Code for find.sh
#!/bin/sh IMAGE=$1 TOKEN=$2 BSIZE=1024 TYPE="linux-ext2" TMP="dls_$(date +%Y%d%m_%H%M%S)" if [ $# -ne 2 ] then echo "Usage: $0 image token" exit -1 fi if [ ! -f $IMAGE ] then echo "Cannot find $IMAGE" exit -1 fi if [ -z "$TOKEN" ] then echo "Pleae give search token" exit -1 fi echo "--------------------------" echo "Found deleted" fls -f $TYPE -rd $IMAGE dls -f $TYPE $IMAGE > $TMP strings -t d $TMP > $TMP.str echo "--------------------------" grep -i "$TOKEN" $TMP.str echo "--------------------------" echo -en "Select Offset:" read n ADDR=$(grep -i "$TOKEN" $TMP.str | grep "$n" | sed 's/^[ \t]*//' | head -n 1 | cut -d " " -f1) if [ -z "$ADDR" ] then echo "Nothing found for '$TOKEN'" exit -1 fi echo "Found $ADDR" OFFSET=$(echo "$ADDR / $BSIZE" | bc) echo "Using Offset $OFFSET" BLOCK=$(dcalc -f $TYPE -u $OFFSET $IMAGE) echo "Using Block $BLOCK" echo "----------------------------" dcat -f $TYPE $IMAGE $BLOCK echo echo "----------------------------" INODE=$(ifind -f $TYPE $IMAGE -d $BLOCK) echo "Found Inode $INODE" istat -f $TYPE $IMAGE $INODE BLOCKS=$(istat -f $TYPE $IMAGE $INODE | tail -n 1) echo "---------------------------" echo "Found Blocks $BLOCKS" echo "---------------------------" (for BLOCK in $BLOCKS do dcat -f $TYPE $IMAGE $BLOCK done) | tee $TMP.found echo "---------------------------" echo "Saved to $TMP.found" echo "---------------------------" rm -f $TMP $TMP.str
