I have managed to figure out a little of hexdump, and I looked into the kind of files that I need to undelete. I ran this one-liner on a few files like those. It's avi files gotten with mencoder on an old Hauppauge TV-card, on composite input. [/code] $ for i in $(ls -1 Compo_F050*|grep -v tail|grep -v head |sed 's/\.avi//') ; \ do ls -l $i.avi ; \ cat $i.avi.hex-C.head | grep -A1 '41 56 49 20 4c 49 53 54' ; \ read FAKE ; \ done ; -rw-r--r-- 1 miro miro 2619101478 2015-05-08 16:05 Compo_F0506_1431.avi 00000000 52 49 46 46 8c d3 ff 3f 41 56 49 20 4c 49 53 54 |RIFF...?AVI LIST| 00000010 36 02 00 00 68 64 72 6c 61 76 69 68 38 00 00 00 |6...hdrlavih8...| -rw-r--r-- 1 miro miro 742218864 2015-05-08 19:26 Compo_F0507_1901.avi 00000000 52 49 46 46 68 5c 3d 2c 41 56 49 20 4c 49 53 54 |RIFFh\=,AVI LIST| 00000010 7e 01 00 00 68 64 72 6c 61 76 69 68 38 00 00 00 |~...hdrlavih8...| -rw-r--r-- 1 miro miro 1276389040 2015-05-08 21:02 Compo_F0508_2000.avi 00000000 52 49 46 46 e2 d5 ff 3f 41 56 49 20 4c 49 53 54 |RIFF...?AVI LIST| 00000010 16 02 00 00 68 64 72 6c 61 76 69 68 38 00 00 00 |....hdrlavih8...| -rw-r--r-- 1 miro miro 154334 2015-05-08 21:28 Compo_F0508_2128.avi 00000000 52 49 46 46 d6 5a 02 00 41 56 49 20 4c 49 53 54 |RIFF.Z..AVI LIST| 00000010 7e 01 00 00 68 64 72 6c 61 76 69 68 38 00 00 00 |~...hdrlavih8...| $ [/code] The output clearly shows a pattern. and that every avi file made like this has those strings. So I thought I'd just search for simply `AVI LIST' and I would find the beginning of each of the deleted avi files, and somehow find the ones that I want to undelete from among them. But I can't search for strings in the "Data Unit" Mode section. Going way back with the arrow (corresponding to "Back" button in usual big browsers. But since reopening the "Keyword Search" still didn't offer me the "Load Unallocated" I decide to choose "Close" from the menu, and see if that gets me anywhere better. Back in the "Case Gallery" and again following "Analyze". Nope. doesn't offer "Load Unallocated". Back and choosing to "Close Host". And "Close Case". And reopening it. Whoah! I finally got it. In the "Data Unit" I followed "Load Unallocated", and in what opens I can now choose from the menu only Keyword Search and Data Unit, apart from "Help" and "Close", because the other options are grayed out. So I choose the "Keyword Search". It looks like this: [code] Keyword Search of Unallocated Space Enter the keyword string or expression to search for: _________________________ [X ] ASCII [X] Unicode [ ] Case Insensitive [ ] grep Regular Expression [/code] And there are buttons: "Load Original", "Extract Strings" and "Search", and a a note, and predefined searches in bottom. I entered in the form "AVI LIST" (without quotes and that is just one blank between the two simple words). I read someplace in Autopsy help that in Unix the ASCII and not Unicode is usually used, but I'm so uncertain, that I'll leavt Unicode on as well. My unallocated is only 100G and that is som much less than the entire partition which is 1.7T, so the search shouldn't take too long. miro@gbn ~ $ date --rfc-3339=seconds 2015-05-10 05:06:29+02:00 miro@gbn ~ $ And I just tab to and follow the "Search". But it appears that something went wrong. It all finished in no time, fraction of a second, immediately, and this shows: [code] Searching for ASCII: Done Saving: Done 0 hits -------------------- Searching for Unicode: Done Saving: Done 0 hits -------------------- New Search -------------------- AVI LIST was not found Search Options: ASCII Case Sensitive -------------------- AVI LIST was not found Search Options: Unicode Case Sensitive -------------------- [/code] And the unalloc exists, three of them exist: [code] gbn ~ # ls -l /mnt/g5n-C/autopsy/g5nCmn/g5n/output/ total 301148156 -rw-r--r-- 1 root root 47 2015-05-06 18:56 vgn-Cmn-0-0-0.srch -rw-r--r-- 1 root root 47 2015-05-07 23:07 vgn-Cmn-0-0-1.srch -rw-r--r-- 1 root root 49 2015-05-08 14:12 vgn-Cmn-0-0-2.srch -rw-r--r-- 1 root root 49 2015-05-09 15:21 vgn-Cmn-0-0-3.srch -rw-r--r-- 1 root root 47 2015-05-09 15:21 vgn-Cmn-0-0-4.srch -rw-r--r-- 1 root root 49 2015-05-09 21:00 vgn-Cmn-0-0-5.srch -rw-r--r-- 1 root root 47 2015-05-09 21:05 vgn-Cmn-0-0-6.srch -rw-r--r-- 1 root root 49 2015-05-09 21:06 vgn-Cmn-0-0-7.srch -rw-r--r-- 1 root root 102791860224 2015-05-09 23:14 vgn-Cmn-0-0-ext-1.unalloc -rw-r--r-- 1 root root 102791860224 2015-05-09 23:24 vgn-Cmn-0-0-ext-2.unalloc -rw-r--r-- 1 root root 18 2015-05-10 05:07 vgn-Cmn-0-0-ext-2.unalloc-0.srch -rw-r--r-- 1 root root 20 2015-05-10 05:07 vgn-Cmn-0-0-ext-2.unalloc-1.srch -rw-r--r-- 1 root root 102791860224 2015-05-09 22:51 vgn-Cmn-0-0-ext.unalloc gbn ~ # [/code] Don't know. I can try and search for the other string that appears in all my avi's, the "hdrlavih8". But following "Search" did just the same immediate no hits. Impossible! I'm looking up the logs. The miroR.exec.log has these lines in bottom: [code] Sun May 10 05:07:25 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' Sun May 10 05:07:25 2015: '/usr/bin/blkls' -e -f blkls -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' | '/usr/bin/srch_strings' -a -t d | '/bin/grep' 'AVI LIST' Sun May 10 05:07:25 2015: '/usr/bin/blkls' -e -f blkls -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep' 'AVI LIST' Sun May 10 05:13:43 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' Sun May 10 05:13:43 2015: '/usr/bin/blkls' -e -f blkls -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' | '/usr/bin/srch_strings' -a -t d | '/bin/grep' 'hdrlavih8' Sun May 10 05:13:43 2015: '/usr/bin/blkls' -e -f blkls -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep' 'hdrlavih8' Sun May 10 05:15:19 2015: '/usr/bin/fsstat' -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' [/code] What it wrong? I'll try and close the browser completely and restart my graphical links. In the next post.