This was a post on Gentoo Forums:A[n Instance of] Basic Data Recovery with SleuthKithttps://forums.gentoo.org/viewtopic-t-1016618.html=========================================================(now to be vacated)Renaming it with a more appropriate title:An Avi Video Recovery with SleuthKit=========================================================Notice: This topic is currently somewhat unruly. but lots of incosistencies will be corrected, improved, shortened, or cleared out with additional info, after more proofreading, pls. bear with me.------------------I had created a directory:[code]mkdir /Cmn/MyVideos/H_All/Oth_1/DEL[/code]and while sifting through various files, I put in there a few files that I would delete later, as I couldn't make up my mind that I really wanted to delete them, and set the later at 10000s from then, like this:[code]sleep 10000 && rm -v /Cmn/MyVideos/H_All/Oth_1/DEL/* &[/code]Then I worked on, and mistakenly put in a few files that I wouldn't want to delete, but those near three hours passed, and while I was doing unrelated work, I noticed the output from the background job that I issued before:[code]ukra@uabox $ removed ‘DEL/HRT3_F0328_1802.avi’removed ‘DEL/Z1_F0325_Zoom.avi’removed ‘DEL/Z1_F0326_BraniteljiDanas_ZoricaGregurić_ZoranGrujić_Zadruge.avi’removed ‘DEL/Z1_F0331_MarkovTrg_MihovilBogoljubMatković_IvanHrstić.avi’removed ‘DEL/Z1_F0331_Zoom_Lovrić_Škaričić.avi’[/code]Later I even deleted the DEL:[code]rmdir /Cmn/MyVideos/H_All/Oth_1/DEL[/code]I am having a much more advanced issue that I have been struggling with for much longer, and compounded with censorship on me, which is just an instance of typical censorship by the current traitor regime in power in Croatia, but which makes it much harder for me to dedicate my efforts entirely to the technical issues of the dd-overwritten luks volume recovery:Recover partly overwritten luks volume?http://forums.gentoo.org/viewtopic-t-1004014.html[It makes it much harder for me because the censorship is being battled against by revealing it, see my idea for a program:The uncenzhttp://github.com/miroR/uncenz, and also by help from free uncensored people ...that sometimes never arrives, uh!)]I have, however reached at the understanding there, on the issue of my partly overwritten luks volume, that the issue is so advanced that I will anyway need very thorough understanding of at least all the basic functionality of SleuthKit to accomplish anything in that luks volume recovery.So the recovery of these files in the top of this page in an unrelated system to that luks recovery issue, and on an unrelated partition, will be a good practice to try and get a good understanding of the SleuthKit and its ways.Firstly about the partition where those few files have been deleted. It's not mounted, but it looks very similar to some other of the partitions in my other systems where I store data, so had it been mounted, I can, looking at those other systmes, by comparison, confidently say that it would, were it now mounted, currently look like this:[code]# df -hFilesystem   Size  Used Avail Use% Mounted on[..]/Cmn         1.7T  1.6T  13G  99% /export/data[...]#[/code]It's an ext4 partition.It is possible I won't get all those files undeleted because of the little free space left, but if I get any, it'll be fine learning for me.However, I seem to have started somewhat wrong, as I'll try and explain below, and am already a little puzzled with a few things.I set the autopsy like this:# autopsy -p 9999 192.168.3.3 &so I can view it from a different host in my network (the host where the partition is mounted being 192.168.3.2).After I created the case, I first looked up if I could see those files in the File Analysis, and I couldn't. The deleted directory DEL I was able to find, and it looks like this:[code]Name       Written                   Accessed            Changed            Size      UID     GID      MetaDEL/    2015-05-04 00:32:57    2015-05-03 22:02:25    2015-05-04 00:32:57    0        1000    1000    24797188[/code]and it was in bright