[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Undelete Compat Flash?



I would highly recommend that you grab a dd image of the compact
flash, and then run any tools against the copy (mounted read only).
That way the tool won't alter the contents of the dd image (or more
importantly of your original compact flash) thereby allowing you to
run other tools against it if necessary.  I am a forensic examiner by
trade and the first rule is to never work on the original.

Slight correction to my last posting (banged it off and sat down for
breakfast and realized my advice was a bit misleading).  You don't
need to mount the image. You run the tool against the dd image file. I'm used to sometimes viewing a read only mounted version of the image
as part of the forensic process but in actual fact your recovery tools
such as scalpel would run agains the entire device (or more accurately
against the image of the entire device).  You can get scalpel (an open
source tool) at http://www.digitalforensicssolutions.com/Scalpel/.  I
read the site on the other tool that was suggested and that may very
well do the trick as well.  However I'd recommend scalpel as it's been
tested quite a bit by the computer forensic community so you know it
will work as it should.  Plus scalpel is a nice tool to have for other
file types as well, and to run against a variety of filesystems
(including ntfs) as it runs independant of the file system, looking
for file headers & file footers on a device or partition (hda, hda1,
sda, sda1, whatever, or an image file of same).


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]