> Thanks. I have foremost installed. My problem is that I'm not > certain of all the file types in the directory. If I recall > correctly they were mostly perl scripts. I had read somewhere that I > could just tell foremost to grab ASCII files which would include > said perl scripts.
Meh. Foremost is not generally good at ASCII text files. You might try "-t cpp" which grabs C source code. I suspect Perl is close enough that you'll get some hits. Otherwise you may be stuck with using tools like dls from the Sleuthkit (sleuthkit.org) to suck the free blocks out of the image and then grep around for strings of interest (like "#!/usr/bin/perl"). Then you can use dcat/blkcat to retrieve chunks of your files. I warn you that this is going to be tedious, however. > I have rebooted the machine with said filesystem unmounted now. I > also have the disk image I created which is just under 100GB since I > dd'd the partition. Would it be advisable to use foremost on the > disk image or the actual filesystem while unmounted in order to > collect the data? Doesn't hurt to try both. The disk image might be corrupt because you took it from a running file system. OTOH, the file system might have re-used some of the data blocks between the time you took the image and the time you got the file system unmounted. By the way, I also have to be a PITA and point out that you wouldn't be going through any of this pain if you had backups on hand. Consider spending $125 on an external 1TB drive and a little of your time implementing an automated backup strategy. -- Hal Pomeranz, Founder/CEO Deer Run Associates [email protected] Network Connectivity and Security, Systems Management, Training _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
