So I'll go now for the "Extract Unallocated", and, what do I do when it
respawns the job unnecessarily? It's not much of unallocated space, because
the `df -h' showed only some 13G, so, maybe I should be patient, and in the
first place be sure to see clearly what will be going on.

Following the link under "Extract Unallocated" opens a new page.

In it, in the top part:

Image Details

Name: vgn-Cmn-0-0
Volume Id: vol1
Parent Volume Id: img1
Image File Format: raw
Mounting Point: /1/
File System Type: ext

External Files
ASCII Strings:
Unicode Strings:
Unallocated Fragments:
ASCII Strings of Unallocated:
Unicode Strings of Unallocated:  

-------------
And in the bottom part:

Extract Strings of Entire Volume
Extracting the ASCII and Unicode strings from
a file system will make keyword searching faster.

Generate MD5? [X]
ASCII: [X]
Unicode: [X]

Extract Strings


Extract Unallocated Fragments
Extracting the unallocated data in a file system
allows more focused keyword searches and data recovery.
(Note: This Does Not Include Slack Space)

Generate MD5? [X]

Extract Unallocated


Apparently, I can choose only one of either "Extract Strings" or "Extract Unallocated".

I suppose I have little unallocated space, and if I'm lucky I may find all those deleted files in there, and it's not going to be so much work, while if I go for the extracting of strings, that would be done on the entire 1.7T which is much more work, and much of it unnecessary, as it looks to me now.

So I go for the "Extract Unallocated". But I deselect Generate MD5? [ ] because I have nothing really (I don't think) to compare it against.

The date is:

[code]
miro@gbn ~ $ date --rfc-3339=seconds
2015-05-09 22:21:10+02:00
miro@gbn ~ $ 
[/code]

OK. Following the link under "Extract Unallocated" (could have clicked, but I like better selecting it with tabbing to it and pressing the Right Errow key).

[code]
miro@gbn ~ $ date --rfc-3339=seconds
2015-05-09 22:21:47+02:00
miro@gbn ~ $ 
[/code]

I took the exact time with that date command because I want to be sure about it when I read the logs.

What it says when it opened a blank page, is only:

"Extracting unallocated data from vgn-Cmn-0-0" in the top, and in the very bottom it is showing some progress like:

"Received 516 B, avg 3 B/s, cur 0 B/s"

and that's all.

This is in the output folder:

[code]
gbn ~ # ls -ltrh /mnt/g5n-C/autopsy/g5nCmn/g5n/output/
total 21G
-rw-r--r-- 1 root root  47 2015-05-06 18:56 vgn-Cmn-0-0-0.srch
-rw-r--r-- 1 root root  47 2015-05-07 23:07 vgn-Cmn-0-0-1.srch
-rw-r--r-- 1 root root  49 2015-05-08 14:12 vgn-Cmn-0-0-2.srch
-rw-r--r-- 1 root root  49 2015-05-09 15:21 vgn-Cmn-0-0-3.srch
-rw-r--r-- 1 root root  47 2015-05-09 15:21 vgn-Cmn-0-0-4.srch
-rw-r--r-- 1 root root  49 2015-05-09 21:00 vgn-Cmn-0-0-5.srch
-rw-r--r-- 1 root root  47 2015-05-09 21:05 vgn-Cmn-0-0-6.srch
-rw-r--r-- 1 root root  49 2015-05-09 21:06 vgn-Cmn-0-0-7.srch
-rw-r--r-- 1 root root 21G 2015-05-09 22:25 vgn-Cmn-0-0-ext.unalloc
gbn ~ # 
[/code]

and the logs folder surely tell a few events. But I'll use a little one-liner
to put some of those events into this file, this one-liner:

export SK=SK_150508_AviRecovery_3.txt ;
for i in $(ls -1 /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/) ;
do ls -l /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/$i >> $SK ;
cat /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/$i >> $SK ;
done ;

(it was a one-liner, but I later broke it in more lines to fit better for the forum post. Sure I embelished it with the underlines and shortened it as much as I thought best, not to lose too many details for a beginner like me, if people will be reading this, nor leave unnecessary detail, not easy to decide on these)

[code]
-rw-r--r-- 1 root root 591 2015-05-09 21:20 /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/host.log
=======================================================================================
[/code]
[code]
Tue May  5 11:39:13 2015: Host g5n added to case g5nCmn
Tue May  5 11:39:22 2015: Host g5n opened by miroR
Tue May  5 11:43:53 2015: Sym Linking image /dev/mapper/vgn-Cmn into g5nCmn:g5n
Tue May  5 11:43:53 2015: Image added: image img1 raw  images/vgn-Cmn
Tue May  5 11:43:53 2015: Volume added: part  vol1 img1	0  0    ext  /1/
Tue May  5 11:44:44 2015: Image vol1 opened by miroR
Wed May  6 16:23:41 2015: Host g5n opened by miroR
Wed May  6 16:23:45 2015: Image vol1 opened by miroR
Sat May  9 21:17:49 2015: Host g5n opened by miroR
Sat May  9 21:20:08 2015: Image vol1 opened by miroR
[/code]
---

[code]
-rw-r--r-- 1 root root 11300 2015-05-09 22:21 /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.exec.log
===============================================================================================
[/code]
Tue May  5 11:43:24 2015: '/usr/bin/img_stat' -t "/dev/mapper/vgn-Cmn"
Tue May  5 11:43:24 2015: '/usr/bin/fsstat' -t -i raw "/dev/mapper/vgn-Cmn"
Tue May  5 11:43:53 2015: '/usr/bin/img_stat' -t "/dev/mapper/vgn-Cmn"
Tue May  5 11:43:53 2015: '/usr/bin/fsstat' -o 0 -i raw -f ext "/dev/mapper/vgn-Cmn"
Tue May  5 11:43:53 2015: /bin/ln -s '/dev/mapper/vgn-Cmn' '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Tue May  5 11:44:15 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Tue May  5 11:47:04 2015: '/usr/bin/fls' -f ext -la  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 11:48:26 2015: '/usr/bin/fls' -f ext -ldr  -s '0'  -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 11:48:48 2015: '/usr/bin/fls' -f ext -ldr  -s '0'  -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 11:55:47 2015: '/usr/bin/ifind' -f ext -n 'MyVideos/H_All/Oth_1/DEL'  -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
[...]
Tue May  5 12:49:06 2015: '/usr/bin/fls' -f ext -lpr  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 12:49:20 2015: '/usr/bin/fls' -f ext -lpr  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 12:49:29 2015: '/usr/bin/fls' -f ext -lpr  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 12:53:57 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Tue May  5 12:53:57 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
[...]
Thu May  7 07:09:30 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Thu May  7 07:09:31 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
Thu May  7 07:19:31 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Thu May  7 07:19:32 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
Thu May  7 23:07:33 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
Sat May  9 15:21:19 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
Sat May  9 15:21:20 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
Sat May  9 21:05:40 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
Sat May  9 21:20:27 2015: '/usr/bin/fsstat' -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Sat May  9 21:21:48 2015: '/usr/bin/fls' -f ext -la  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Sat May  9 22:10:11 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Sat May  9 22:21:57 2015: '/usr/bin/blkls' -f ext  -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' > '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext.unalloc'
[/code]
---

[code]
-rw-r--r-- 1 root root 5066 2015-05-09 22:21 /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.log
=========================================================================================
[/code]
[code]
Tue May  5 11:39:22 2015: Host g5n opened
Tue May  5 11:44:44 2015: vol1: volume opened
Tue May  5 11:47:04 2015: vgn-Cmn-0-0: Directory listing of /1/ (2)
Tue May  5 11:48:26 2015: vgn-Cmn-0-0: Listing all deleted files
Tue May  5 11:48:48 2015: vgn-Cmn-0-0: Listing all deleted files
Tue May  5 11:55:47 2015: vol1: Finding meta data address for MyVideos/H_All/Oth_1/DEL
Tue May  5 11:55:48 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/H_All/Oth_1/DEL/ (24797188)
[...]
Tue May  5 13:13:57 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi
Wed May  6 16:23:41 2015: Host g5n opened
Wed May  6 16:23:45 2015: vol1: volume opened
Wed May  6 16:23:51 2015: vgn-Cmn-0-0: Directory listing of /1/ (2)
[...]
Thu May  7 07:19:31 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi
Sat May  9 21:17:49 2015: Host g5n opened
Sat May  9 21:20:08 2015: vol1: volume opened
Sat May  9 21:20:27 2015: vgn-Cmn-0-0: Displaying file system details
Sat May  9 21:21:48 2015: vgn-Cmn-0-0: Directory listing of /1/ (2)
Sat May  9 22:21:57 2015: vol1: Saving unallocated data to output/vgn-Cmn-0-0-ext.unalloc
[/code]
---

Yeah, the output directory already shows:
[code]
gbn ~ # ls -l /mnt/g5n-C/autopsy/g5nCmn/g5n/output/
total 110360544
-rw-r--r-- 1 root root          47 2015-05-06 18:56 vgn-Cmn-0-0-0.srch
-rw-r--r-- 1 root root          47 2015-05-07 23:07 vgn-Cmn-0-0-1.srch
-rw-r--r-- 1 root root          49 2015-05-08 14:12 vgn-Cmn-0-0-2.srch
-rw-r--r-- 1 root root          49 2015-05-09 15:21 vgn-Cmn-0-0-3.srch
-rw-r--r-- 1 root root          47 2015-05-09 15:21 vgn-Cmn-0-0-4.srch
-rw-r--r-- 1 root root          49 2015-05-09 21:00 vgn-Cmn-0-0-5.srch
-rw-r--r-- 1 root root          47 2015-05-09 21:05 vgn-Cmn-0-0-6.srch
-rw-r--r-- 1 root root          49 2015-05-09 21:06 vgn-Cmn-0-0-7.srch
-rw-r--r-- 1 root root 28054294528 2015-05-09 22:43 vgn-Cmn-0-0-ext-1.unalloc
-rw-r--r-- 1 root root 84954845184 2015-05-09 22:43 vgn-Cmn-0-0-ext.unalloc
gbn ~ # 
[/code]
and surely it will reflect in the miroR.log and miroR.exec.log. Right, they both have another line added:
[code]
Sat May  9 22:31:58 2015: vol1: Saving unallocated data to output/vgn-Cmn-0-0-ext-1.unalloc
[/code]
and:
[code]
Sat May  9 22:31:58 2015: '/usr/bin/blkls' -f ext  -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' > '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-1.unalloc'
[/code]
respectively. And surely, the `top' command to which I gave a terminal of its own, shows two rows of blkls command at 20-30 %CPU.

[...]

A little late (see the dates), the output folder has three unalloc files:

[code]
-rw-r--r-- 1 root root  77986000896 2015-05-09 23:04 vgn-Cmn-0-0-ext-1.unalloc
-rw-r--r-- 1 root root  27782656000 2015-05-09 23:04 vgn-Cmn-0-0-ext-2.unalloc
-rw-r--r-- 1 root root 102791860224 2015-05-09 22:51 vgn-Cmn-0-0-ext.unalloc
[/code]
The one in bottom is finished, so it's not so much to wait, and I'm still new to Sleuthkit, I'm not absolutely certain that I wouldn't break something it I killed the other two unalloc being dumped, so I'll wait.

Surely, in the end, it looked like this:

[code]
-rw-r--r-- 1 root root 102791860224 2015-05-09 23:14 vgn-Cmn-0-0-ext-1.unalloc
-rw-r--r-- 1 root root 102791860224 2015-05-09 23:24 vgn-Cmn-0-0-ext-2.unalloc
-rw-r--r-- 1 root root 102791860224 2015-05-09 22:51 vgn-Cmn-0-0-ext.unalloc
[/code

And there was a timeout "error" similar to the one that I already described:

LINK HERE

On that error I hit the "Cancel" in it, and moved back in the browser.

The previous screen from which I started the "Extract Unallocated" showed, the
screen with the choice to "Extract Strings" and "Extract Unallocated", from
which I chose the latter.

But that screen also has two more button in bottom. They are "Close" and
"FileSystem". Don't know which to choose, but I'll guess I should try
"FileSystem".

It shows 

[code]
General File System Details
-------------------------
FILE SYSTEM INFORMATION
File System Type: Ext4
Volume Name: Volume ID:
621656f7bd1ec7806941a2a26e05684e

Last Written at: 2015-04-01 11:59:42 (CEST)
Last Checked at: 2014-03-12 11:44:37 (CET)

Last Mounted at: 2015-04-01 11:59:42 (CEST)
Unmounted properly
Last mounted on: /Cmn

Source OS: Linux
Dynamic Structure
Compat Features: Journal, Ext Attributes, Resize Inode, Dir Index InCompat Features: Filetype, Needs Recovery, Extents, Flexible Block Groups, Read Only Compat Features: Sparse Super, Large File, Huge File, Extra
Inode Size

Journal ID: 00
Journal Inode: 8
-------------------------
[/code]
along with just two more smallish paragraphs:
[code]
METADATA INFORMATION

Inode Range: 1 - 110059521
Root Directory: 2
Free Inodes: 110021883
Inode Size: 256
-------------------------
CONTENT INFORMATION
Block Groups Per Flex Group: 16
Block Range: 0 - 440235007
Block Size: 4096
Free Blocks: 258718324
-------------------------
[/code]

on top, and then a huge, huge list starts:

[code]
BLOCK GROUP INFORMATION
Number of Block Groups: 13435
Inodes per group: 8192
Blocks per group: 32768

Group: 0:
Block Group Flags: [INODE_ZEROED, ..]
Inode Range: 1 - 8192
Block Range: 0 - 32767
Layout:
Super Block: 0 - 0
Group Descriptor Table: 1 - 105
Group Descriptor Growth Blocks: 106 - 1024
Data bitmap: 1025 - 1025
Inode bitmap: 1041 - 1041
Inode Table: 1057 - 1568
Data Blocks: 9249 - 32767
Free Inodes: 8154 (99%)
Free Blocks: 19692 (60%)
Total Directories: 1
Stored Checksum: 0x5F2A

Stored Checksum: 0x5F2A
Group: 1:
Block Group Flags: [INODE_UNINIT, INODE_ZEROED, ..]
Inode Range: 8193 - 16384
Block Range: 32768 - 65535
Layout:
Super Block: 32768 - 32768
Group Descriptor Table: 32769 - 32873
Group Descriptor Growth Blocks: 32874 - 33792
Data bitmap: 1026 - 1026
Inode bitmap: 1042 - 1042
Inode Table: 1569 - 2080
Data Blocks: 33793 - 65535
Free Inodes: 8192 (100%)
Free Blocks: 1097 (3%)
Total Directories: 0
Stored Checksum: 0xB0C6
[/code]

and here I cut out some 13431 groups, and give just the very last group:

[code]
Group: 13434:
Block Group Flags: [INODE_UNINIT, INODE_ZEROED, ..]
Inode Range: 110051329 - 110059520
Block Range: 440205312 - 440235007
Layout:
Data bitmap: 439877642 - 439877642
Inode bitmap: 439877658 - 439877658
Inode Table: 439882784 - 439883295
Data Blocks: 440205312 - 440235007
Free Inodes: 8192 (100%)
Free Blocks: 1024 (3%)
Total Directories: 0
Stored Checksum: 0x2070 
[/code]

That gives me a reference if I will need it later. I guess I can find that information any time under "Image Details" or?

That screen also gave me back the menu at the top, which I didn't list before. Well I can now:

"File Analysis", "Keyword Search", "File Type", "Image Details", "Meta Data", "Data Unit", "Help" and "Close".

I think I'll tab into "Keyword Search" again.

I did. And I think it should have, OK, showed a similar screen as before, but with the option of "Load Unallocated", which I don't have as option. So I can't do nothing with this.

I have gone to browse all the titles of the menu that I just listed above (well, all except "Help" and "Close" of course), but only one of all them offers me to "Load Unallocated", and it's the "Data Unit".

So I stay at "Data Unit" and "Load Unallocated".

But it's still kind of useless for what I had in mind.

And in the next post I'll try and explain what I thought I would do next, and why.