I have read the manual pages for some of the Sleuthkit commands. And I think this recovery be all be much easier to do if I had not deleted the FILL IN ../DEL/ directory where the files to undelete were. But maybe I can learn a little more from the inode of that directory? [code] # ifind -f ext4 -i raw -n "MyVideos/H_All/Oth_1/DEL/" /dev/mapper/vgn-Cmn 24797188 [/code] I'll try and see what entering that inode would give me. Entering it where? In "Meta Data". Entered it. And got these data: [code] Pointed to by file: /1/MyVideos/H_All/Oth_1/DEL (deleted) File Type (Recovered): no read permission MD5 of recovered content: d41d8cd98f00b204e9800998ecf8427e - SHA-1 of recovered content: da39a3ee5e6b4b0d3255bfef95601890afd80709 - Details: inode: 24797188 Not Allocated Group: 3027 Generation Id: 2792681576 uid / gid: 1000 / 1000 mode: drwxr-xr-x Flags: Extents, size: 0 num of links: 0 Inode Times: Accessed: 2015-05-03 22:02:25.381551482 (CEST) File Modified: 2015-05-04 00:32:57.239619911 (CEST) Inode Modified: 2015-05-04 00:32:57.239619911 (CEST) File Created: 2015-05-03 22:02:25.381551482 (CEST) Deleted: 2015-05-04 00:32:57 (CEST) Direct Blocks: Error reading file: Invalid API argument (tsk_fs_attrlist_get: Null list pointer) Enter number of Fragments to display: 5 "Force" (because the size is 0) [/code] where "Force" is a button with a link underneath, and the 5 is preset, can be changed to any number. And "Force" doesn't return any more info in the matter. So, these data about DEL are nice to no, but there's no where yet to go from there. ------------- I'll try something else (and without much of a clue, to be honest. Back from Case Gallery menu, this time I won't go into the Analyze menu, but go to: "File Activity Timeline" menu, which I have little idea at this time about. The opening page says: [code] File Activity Timelines Here you can create a timeline of file activity. This process requires two steps: 1. Create Data File from file system data -> 2. Create Timeline from the data file Use the tabs above to start. [/code] --------------- I'll follow that guideline. [code] Here we will process the file system images, collect the temporal data, and save the data to a single file. 1. Select one or more of the following images to collect data from: [X] /1/ vgn-Cmn-0-0 ext 2. Select the data types to gather: [ ] Allocated Files [X] Unallocated Files 3. Enter name of output file (body): output/body 4. Generate MD5 Value? [ ] "OK" [/code] where "OK" is a button, and I followed the link underneath to activate the process. That was quick. A few seconds delay and the next screen shows: [code] Running fls -rd -m on vol1 Body file saved to /Cmn/autopsy/g5nCmn/g5n/output/body Entry added to host config file The next step is to sort the data into a timeline. "OK" [/code] After "OK", the next screen shows: [code] Now we will sort the data and save it to a timeline. 1. Select the data input file (body): [ ] body 2. Enter the starting date: None: [ ] Specify: [ ] [May][1] 2015 3. Enter the ending date: None: [ ] Specify: [X] [May] [4] 2015 4. Enter the file name to save as: output/timeline.txt 5. Select the UNIX image that contains the /etc/passwd and /etc/group files: [None ] 6. Choose the output format: [ ] Tabulated (normal) [ ] Comma delimited with hourly summary [ ] Comma delimited with daily summary 7. Generate MD5 Value? [ ] "OK" [/code] And that was also superquick: [code] Creating Timeline for 2015-05-01..2015-05-04 (Time Zone: ) Timeline saved to /Cmn/autopsy/g5nCmn/g5n/output/timeline.txt Entry added to host config file "OK" (NOTE: It is easier to view the timeline in a text editor than here) [/code] Really, the Autopsy and Sleuthkit get clearer and understandable, only with practice. However, it is still basically useless, as far as finding those files in this DEL directory: [code] Sun May 03 2015 22:02:25 0 .a.b d/drwxr-xr-x 1000 1000 24797188 /1/MyVideos/H_All/Oth_1/DEL (deleted) [/code] because none of them is listed. None. There's nothing left in that deleted directory! So I don't think timeline can be of any use here... As a sidenote, all this is so consistent: "File Analysis" saw nothing underneath that DEL directory, "Inode not found" was the result for the search of the metadata for all the initial data units (or initial fragments) of the found AVI files, and now the Timeline repeats what the other two quests already confirmed. There must be a way to go and recover those AVI tiles, as all of them bear: "Not allocated" mark by Autopsy! What now?