This was a post on Gentoo Forums: A[n Instance of] Basic Data Recovery with SleuthKit https://forums.gentoo.org/viewtopic-t-1016618.html ========================================================= (now to be vacated) Renaming it with a more appropriate title: An Avi Video Recovery with SleuthKit ========================================================= Notice: This topic is currently somewhat unruly. but lots of incosistencies will be corrected, improved, adapted (remember, it was on different forums originally), shortened, or cleared out with additional info, after more proofreading, pls. bear with me. ------------------ I had created a directory: [code] mkdir /Cmn/MyVideos/H_All/Oth_1/DEL [/code] and while sifting through various files, I put in there a few files that I would delete later, as I couldn't make up my mind that I really wanted to delete them, and set the later at 10000s from then, like this: [code] sleep 10000 && rm -v /Cmn/MyVideos/H_All/Oth_1/DEL/* & [/code] Then I worked on, and mistakenly put in a few files that I wouldn't want to delete, but those near three hours passed, and while I was doing unrelated work, I noticed the output from the background job that I issued before: [code] ukra@uabox $ removed ‘DEL/HRT3_F0328_1802.avi’ removed ‘DEL/Z1_F0325_Zoom.avi’ removed ‘DEL/Z1_F0326_BraniteljiDanas_ZoricaGregurić_ZoranGrujić_Zadruge.avi’ removed ‘DEL/Z1_F0331_MarkovTrg_MihovilBogoljubMatković_IvanHrstić.avi’ removed ‘DEL/Z1_F0331_Zoom_Lovrić_Škaričić.avi’ [/code] Later I even deleted the DEL: [code] rmdir /Cmn/MyVideos/H_All/Oth_1/DEL [/code] I am having a much more advanced issue that I have been struggling with for much longer, and compounded with censorship on me, which is just an instance of typical censorship by the current traitor regime in power in Croatia, but which makes it much harder for me to dedicate my efforts entirely to the technical issues of the dd-overwritten luks volume recovery: Recover partly overwritten luks volume? http://forums.gentoo.org/viewtopic-t-1004014.html [ It makes it much harder for me because the censorship is being battled against by revealing it, see my idea for a program: The uncenz http://github.com/miroR/uncenz , and also by help from free uncensored people ...that sometimes never arrives, uh!) ] I have, however reached at the understanding there, on the issue of my partly overwritten luks volume, that the issue is so advanced that I will anyway need very thorough understanding of at least all the basic functionality of SleuthKit to accomplish anything in that luks volume recovery. So the recovery of these files in the top of this page in an unrelated system to that luks recovery issue, and on an unrelated partition, will be a good practice to try and get a good understanding of the SleuthKit and its ways. Firstly about the partition where those few files have been deleted. It's not mounted, but it looks very similar to some other of the partitions in my other systems where I store data, so had it been mounted, I can, looking at those other systmes, by comparison, confidently say that it would, were it now mounted, currently look like this: [code] # df -h Filesystem Size Used Avail Use% Mounted on [..] /Cmn 1.7T 1.6T 13G 99% /export/data [...] # [/code] It's an ext4 partition. It is possible I won't get all those files undeleted because of the little free space left, but if I get any, it'll be fine learning for me. However, I seem to have started somewhat wrong, as I'll try and explain below, and am already a little puzzled with a few things. I set the autopsy like this: # autopsy -p 9999 192.168.3.3 & so I can view it from a different host in my network (the host where the partition is mounted being 192.168.3.2). After I created the case, I first looked up if I could see those files in the File Analysis, and I couldn't. The deleted directory DEL I was able to find, and it looks like this: [code] Name Written Accessed Changed Size UID GID Meta DEL/ 2015-05-04 00:32:57 2015-05-03 22:02:25 2015-05-04 00:32:57 0 1000 1000 24797188 [/code] and it was in bright red, meaning recoverable. However I don't need it; I need what was in that directory... The only thing, under which was a link in the above line, was 24797188 (under Meta), but following that link didn't give any more info. Let me first show you how this case that I had opened for this problem, looks like, by listing and pasting all that is currently in the Evidence Locker (not so much), and then I will explain where I may have gone wrong, and other things that puzzle me. [code] uabox ~ # ls -ltrR /mnt/g5n-C/autopsy/g5nCmn/g5n/ /mnt/g5n-C/autopsy/g5nCmn/g5n/: total 24 drwxr-xr-x 2 root root 4096 2015-05-05 11:39 reports drwxr-xr-x 2 root root 4096 2015-05-05 11:39 output drwxr-xr-x 2 root root 4096 2015-05-05 11:39 mnt drwxr-xr-x 2 root root 4096 2015-05-05 11:43 logs drwxr-xr-x 2 root root 4096 2015-05-05 11:43 images -rw-r--r-- 1 root root 169 2015-05-05 11:43 host.aut /mnt/g5n-C/autopsy/g5nCmn/g5n/reports: total 0 /mnt/g5n-C/autopsy/g5nCmn/g5n/output: total 0 /mnt/g5n-C/autopsy/g5nCmn/g5n/mnt: total 0 /mnt/g5n-C/autopsy/g5nCmn/g5n/logs: total 24 -rw-r--r-- 1 root root 487 2015-05-06 16:23 host.log -rw-r--r-- 1 root root 4435 2015-05-06 16:55 miroR.log -rw-r--r-- 1 root root 8696 2015-05-06 16:55 miroR.exec.log /mnt/g5n-C/autopsy/g5nCmn/g5n/images: total 0 lrwxrwxrwx 1 root root 19 2015-05-05 11:43 vgn-Cmn -> /dev/mapper/vgn-Cmn uabox ~ # [/code] As you can see there are only three files currently to paste their contents in here, and all the story so far developed will be told. Actually I won't paste the contents, I'll list each file first, and then cat its content in this file that I am preparing for posting onto Gentoo Forums (since I have not been able to log into Sleuthkit Forum nor do I know that I could without another bout of censorship to fight against and struggle to reveal and present). I'll actually use this command: [code] export GFPrepare="/Cmn/gX/Tmp.d_1/Gen_150506_tsk_recover.txt" ; echo $GFPrepare ; for i in $(ls -1 /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/) ; do echo /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/$i >> $GFPrepare ; cat /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/$i >> $GFPrepare ; read FAKE ; done ; [/code] GFPrepare is for GentooForumsPrepare. I had it on one line, and worked fine. I think it would have worked split like that in those five lines, to which I split it for presentation purposes. Anyhow, that got me all this output below in this file that should soon be posted onto Gentoo Forums: [code] /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/host.log =========================================== [/code] [code] Tue May 5 11:39:13 2015: Host g5n added to case g5nCmn Tue May 5 11:39:22 2015: Host g5n opened by miroR Tue May 5 11:43:53 2015: Sym Linking image /dev/mapper/vgn-Cmn into g5nCmn:g5n Tue May 5 11:43:53 2015: Image added: image img1 raw images/vgn-Cmn Tue May 5 11:43:53 2015: Volume added: part vol1 img1 0 0 ext /1/ Tue May 5 11:44:44 2015: Image vol1 opened by miroR Wed May 6 16:23:41 2015: Host g5n opened by miroR Wed May 6 16:23:45 2015: Image vol1 opened by miroR [/code] [code] /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.exec.log ================================================= [/code] [code] Tue May 5 11:43:24 2015: '/usr/bin/img_stat' -t "/dev/mapper/vgn-Cmn" Tue May 5 11:43:24 2015: '/usr/bin/fsstat' -t -i raw "/dev/mapper/vgn-Cmn" Tue May 5 11:43:53 2015: '/usr/bin/img_stat' -t "/dev/mapper/vgn-Cmn" Tue May 5 11:43:53 2015: '/usr/bin/fsstat' -o 0 -i raw -f ext "/dev/mapper/vgn-Cmn" Tue May 5 11:43:53 2015: /bin/ln -s '/dev/mapper/vgn-Cmn' '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' Tue May 5 11:44:15 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' Tue May 5 11:47:04 2015: '/usr/bin/fls' -f ext -la -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 11:48:26 2015: '/usr/bin/fls' -f ext -ldr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 11:48:48 2015: '/usr/bin/fls' -f ext -ldr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 11:55:47 2015: '/usr/bin/ifind' -f ext -n 'MyVideos/H_All/Oth_1/DEL' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' Tue May 5 11:55:48 2015: '/usr/bin/istat' -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 Tue May 5 11:55:48 2015: '/usr/bin/fls' -f ext -la -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 Tue May 5 11:56:07 2015: '/usr/bin/ifind' -f ext -n 'MyVideos/H_All/Oth_1/' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' Tue May 5 11:56:07 2015: '/usr/bin/istat' -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24780805 Tue May 5 11:56:07 2015: '/usr/bin/fls' -f ext -la -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24780805 Tue May 5 11:56:45 2015: '/usr/bin/ils' -f ext -e -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 Tue May 5 11:56:46 2015: '/usr/bin/ffind' -f ext -a -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 Tue May 5 11:56:47 2015: '/usr/bin/icat' -f ext -r -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 | '/usr/bin/file' -z -b - Tue May 5 11:56:47 2015: '/usr/bin/icat' -f ext -r -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 | '/usr/bin/md5sum' Tue May 5 11:56:47 2015: '/usr/bin/icat' -f ext -r -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 | '/usr/bin/sha1sum' Tue May 5 11:56:47 2015: '/usr/bin/istat' -f ext -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 Tue May 5 11:59:44 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:01:37 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:01:50 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:03:27 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:03:49 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:04:32 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:04:47 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:05:05 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:05:13 2015: '/usr/bin/fls' -f ext -la -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:05:22 2015: '/usr/bin/fls' -f ext -la -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:05:58 2015: '/usr/bin/fls' -f ext -la -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24772609 Tue May 5 12:06:11 2015: '/usr/bin/fls' -f ext -la -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24772610 Tue May 5 12:06:22 2015: '/usr/bin/fls' -f ext -la -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24780805 Tue May 5 12:09:07 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:09:16 2015: '/usr/bin/fls' -f ext -la -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:09:37 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:09:48 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:09:57 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:10:25 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:10:44 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:10:52 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:11:01 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:11:57 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:12:16 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:12:57 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:47:27 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:47:37 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:47:54 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:48:03 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:48:19 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:48:28 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:48:47 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:49:06 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:49:20 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:49:29 2015: '/usr/bin/fls' -f ext -lpr -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Tue May 5 12:53:57 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' Tue May 5 12:53:57 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep' 'Z1_F0331_Zoom_Lovrić_Škaričić\.avi' Tue May 5 13:03:57 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' Tue May 5 13:03:57 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep' 'Z1_F0331_Zoom_Lovrić_Škaričić\.avi' Tue May 5 13:13:57 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' Tue May 5 13:13:58 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep' 'Z1_F0331_Zoom_Lovrić_Škaričić\.avi' Wed May 6 16:23:51 2015: '/usr/bin/fls' -f ext -la -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2 Wed May 6 16:26:13 2015: '/usr/bin/fls' -f ext -la -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 110059521 Wed May 6 16:27:14 2015: '/usr/bin/fls' -f ext -la -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24772609 Wed May 6 16:27:23 2015: '/usr/bin/fls' -f ext -la -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24772610 Wed May 6 16:27:27 2015: '/usr/bin/fls' -f ext -la -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24780805 Wed May 6 16:55:14 2015: '/usr/bin/ils' -f ext -e -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 Wed May 6 16:55:15 2015: '/usr/bin/ffind' -f ext -a -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 Wed May 6 16:55:54 2015: '/usr/bin/icat' -f ext -r -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 | '/usr/bin/file' -z -b - Wed May 6 16:55:54 2015: '/usr/bin/icat' -f ext -r -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 | '/usr/bin/md5sum' Wed May 6 16:55:55 2015: '/usr/bin/icat' -f ext -r -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 | '/usr/bin/sha1sum' Wed May 6 16:55:55 2015: '/usr/bin/istat' -f ext -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 [/code] [code] /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.log ============================================ [/code] [code] Tue May 5 11:39:22 2015: Host g5n opened Tue May 5 11:44:44 2015: vol1: volume opened Tue May 5 11:47:04 2015: vgn-Cmn-0-0: Directory listing of /1/ (2) Tue May 5 11:48:26 2015: vgn-Cmn-0-0: Listing all deleted files Tue May 5 11:48:48 2015: vgn-Cmn-0-0: Listing all deleted files Tue May 5 11:55:47 2015: vol1: Finding meta data address for MyVideos/H_All/Oth_1/DEL Tue May 5 11:55:48 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/H_All/Oth_1/DEL/ (24797188) Tue May 5 11:56:07 2015: vol1: Finding meta data address for MyVideos/H_All/Oth_1/ Tue May 5 11:56:07 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/H_All/Oth_1/ (24780805) Tue May 5 11:56:45 2015: vgn-Cmn-0-0: Displaying details of Inode 24797188 Tue May 5 11:59:44 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331* Tue May 5 12:01:37 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331_* Tue May 5 12:01:50 2015: vgn-Cmn-0-0: Listing all files with Z1_F0330_* Tue May 5 12:03:27 2015: vgn-Cmn-0-0: Listing all files with *Zoom_Lovrić* Tue May 5 12:03:49 2015: vgn-Cmn-0-0: Listing all files with *Zoom_Lovri* Tue May 5 12:04:32 2015: vgn-Cmn-0-0: Listing all files with *Zoom_L* Tue May 5 12:04:47 2015: vgn-Cmn-0-0: Listing all files with *Zoom_* Tue May 5 12:05:05 2015: vgn-Cmn-0-0: Listing all files with *Zoom* Tue May 5 12:05:13 2015: vgn-Cmn-0-0: Directory listing of /1/ (2) Tue May 5 12:05:22 2015: vgn-Cmn-0-0: Directory listing of /1/ (2) Tue May 5 12:05:58 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/ (24772609) Tue May 5 12:06:11 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/H_All/ (24772610) Tue May 5 12:06:22 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/H_All/Oth_1/ (24780805) Tue May 5 12:09:07 2015: vgn-Cmn-0-0: Listing all files with *_F0326* Tue May 5 12:09:16 2015: vgn-Cmn-0-0: Directory listing of /1/ (2) Tue May 5 12:09:37 2015: vgn-Cmn-0-0: Listing all files with *_F032* Tue May 5 12:09:48 2015: vgn-Cmn-0-0: Listing all files with *F032* Tue May 5 12:09:57 2015: vgn-Cmn-0-0: Listing all files with *F03* Tue May 5 12:10:25 2015: vgn-Cmn-0-0: Listing all files with Z1_F0326_sAnitom.avi Tue May 5 12:10:44 2015: vgn-Cmn-0-0: Listing all files with Z1_F0326_s*.avi Tue May 5 12:10:52 2015: vgn-Cmn-0-0: Listing all files with Z1_F0326_s\*.avi Tue May 5 12:11:01 2015: vgn-Cmn-0-0: Listing all files with Z1_F0326_*.avi Tue May 5 12:11:57 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331_Lovrić_Škaričić.avi.avi Tue May 5 12:12:16 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331_Lovrić_Škaričić.avi Tue May 5 12:12:57 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331_Zoom_Lovrić_Škaričić.avi Tue May 5 12:47:27 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331_\w*.avi Tue May 5 12:47:37 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331\w*.avi Tue May 5 12:47:54 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331[0-9a-zA-Z]*.avi Tue May 5 12:48:03 2015: vgn-Cmn-0-0: Listing all files with Z1_F0330[0-9a-zA-Z]*.avi Tue May 5 12:48:19 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331[0-9a-zA-Z]*\.avi Tue May 5 12:48:28 2015: vgn-Cmn-0-0: Listing all files with Z1_F0330[0-9a-zA-Z]*\.avi Tue May 5 12:48:47 2015: vgn-Cmn-0-0: Listing all files with Z1_F03[0-9a-zA-Z]*\.avi Tue May 5 12:49:06 2015: vgn-Cmn-0-0: Listing all files with /Z1_F03[0-9a-zA-Z]*\.avi/ Tue May 5 12:49:20 2015: vgn-Cmn-0-0: Listing all files with Z1_F03/[0-9a-zA-Z]*\.avi/ Tue May 5 12:49:29 2015: vgn-Cmn-0-0: Listing all files with Z1_F03/[0-9a-zA-Z]*/\.avi Tue May 5 12:53:57 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi Tue May 5 13:03:57 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi Tue May 5 13:13:57 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi Wed May 6 16:23:41 2015: Host g5n opened Wed May 6 16:23:45 2015: vol1: volume opened Wed May 6 16:23:51 2015: vgn-Cmn-0-0: Directory listing of /1/ (2) Wed May 6 16:26:13 2015: vgn-Cmn-0-0: Directory listing of /1/$OrphanFiles/ (110059521) Wed May 6 16:27:14 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/ (24772609) Wed May 6 16:27:23 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/H_All/ (24772610) Wed May 6 16:27:27 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/H_All/Oth_1/ (24780805) Wed May 6 16:55:14 2015: vgn-Cmn-0-0: Displaying details of Inode 24797188 [/code] Regardless that I'm posting this on Gentoo Forums, and believe you me, the sky would fall on my head if I were, by some decision without human feelings, be rendered unable to post even on Gentoo Forums, one of so few places on the internet where I still feel free... Regardless that I'm posting this on Gentoo Forums (to which this topic should not detract not even minimally from, I believe it adds, at least minimally), I am preparing this for the kind attention of SleuthKit folks, and those who follow their work and their marvelous achievements. Remember, I was censored out of registering to SleuthKit Forum, see: Recover partly overwritten luks volume? https://forums.gentoo.org/viewtopic-t-1004014.html#7724054 and [ ditto ] https://forums.gentoo.org/viewtopic-t-1004014-start-25.html#7734200 so posting it on SleuthKit Forum is not possible, yet, for me. I'm posting it to get help, from them or from any knowledgeable unixer, and also if I (as I often do) solve it, that others may benefit from my experience too. Before I try and explain where I may have gone wrong and what puzzles me, let me first tell about the files. They are real, and they have: [code] Z1_F0325 Z1_F0326 Z1_F0331 Z1_F0331 [/code] the name of the TV station `Z1', the Zagrebian TV, in them, and the date (except that I use `F' for `2015', the current year). So the program I taped on my old Hauppauge TV-card was from end of month `03', March, from 25th to 31st. I called in in some of those programs, and I like to have it taped when I call in. There's also real names in there. Just to give a human look to the story. But technically that's irrelevant. Now where I went wrong, is after not finding any of those deleted files in the `File Analysis', and after trying bash regular expression searches like: [code] Tue May 5 12:09:57 2015: vgn-Cmn-0-0: Listing all files with *F03* [/code] and there's plenty others there, which all failed, I figured out, reading the help for `File Analysis', that the Autopsy interface for `File Analysis' uses perl regexp, and not the bash kind. So later I read `man perlrequick', but I already went the possibly wrong way. There's very little that I did on `Wed May 6', which is today, but there are searches still going on since. From [b]/mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.log[/b]: [code] Tue May 5 12:53:57 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi Tue May 5 13:03:57 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi Tue May 5 13:13:57 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi [/code] And see the same commands from [b]/mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.exec.log[/b]: [code] Tue May 5 12:53:57 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' Tue May 5 12:53:57 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep' 'Z1_F0331_Zoom_Lovrić_Škaričić\.avi' Tue May 5 13:03:57 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' Tue May 5 13:03:57 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep' 'Z1_F0331_Zoom_Lovrić_Škaričić\.avi' Tue May 5 13:13:57 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' Tue May 5 13:13:58 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep' 'Z1_F0331_Zoom_Lovrić_Škaričić\.avi' [/code] And now let me show you, as I have `top' fired up all the time, and keep waiting for this possibly wrong attempt to finally be finishing, which it never yet shows any signs of... This is a typical screenful: [code] PARTUUIDttop - 18:11:27 up 35 days, 6:14, 3 users, load average: 3.22, 3.23, 3.23 Tasks: 237 total, 4 running, 231 sleeping, 2 stopped, 0 zombie %Cpu(s): 34.2 us, 4.1 sy, 0.0 ni, 46.6 id, 15.2 wa, 0.0 hi, 0.0 si, 0.0 st KiB Mem : 16385720 total, 703036 free, 851080 used, 14831604 buff/cache KiB Swap: 20971516 total, 20893764 free, 77752 used. 15434868 avail Mem PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND 10129 root 20 0 6416 84 0 R 76.2 0.0 1322:27 srch_strings 10110 root 20 0 6420 88 0 R 67.9 0.0 1338:17 srch_strings 10086 root 20 0 6420 88 0 S 59.9 0.0 948:43.70 srch_strings 10109 root 20 0 29908 596 216 R 8.9 0.0 165:51.01 blkls 10128 root 20 0 29904 584 212 S 8.6 0.0 165:21.78 blkls 10085 root 20 0 29908 592 216 D 6.6 0.0 94:14.18 blkls 10111 root 20 0 12100 1044 424 S 2.3 0.0 33:48.57 grep 10130 root 20 0 12104 1068 444 S 2.3 0.0 33:40.49 grep 10087 root 20 0 12104 1048 424 S 1.7 0.0 18:21.48 grep 10091 root 20 0 24984 1172 560 R 0.7 0.0 10:25.17 top 1301 root 0 -20 0 0 0 S 0.3 0.0 1:39.53 kworker/4:1H 12433 root 20 0 175756 17536 3288 S 0.3 0.1 5:32.51 X 31927 root 20 0 0 0 0 S 0.3 0.0 0:47.63 kworker/0:2 1 root 20 0 4268 116 80 S 0.0 0.0 0:34.56 init 2 root 20 0 0 0 0 S 0.0 0.0 0:22.93 kthreadd 3 root 20 0 0 0 0 S 0.0 0.0 6:50.01 ksoftirqd/0 5 root 0 -20 0 0 0 S 0.0 0.0 [/code] So it is minimally grep'ing, and on those 1.7T it is using some more of the CPU cycles for blkls, and the most of the CPU cycles for the srch_strings, but it is doing it via `|', a pipe, see again the [b]miroR.exec.log[/b] above, and so none of it, just the searched string will remain. At least that's what I think it is doing, after I have reading more of the Autopsy and TSK documentation. And anyway I should have concentrated my searches on the unallocated space! But back those 30 hours from now, I didn't now how, and am not even certain now. I now need to post this before the time is way beyond what is now today.