###########################################################################
# Data Recovery and Forensics                                             #
# Anuradha Weeraman, 25 September 2002                                    #
# $Id: forensics.txt,v 1.1 2004/06/02 21:17:53 anuradha Exp $             #
###########################################################################

----- icat (@Stake Sleuth Kit)
to display the contents of a particular inode :
	icat -f linux-ext2 disk.dd 250 | less
----------

----- scenario using the @Stake Sleuth Kit
search unallocated space for the string "abcdefg".

1) extract the unallocated disk units
	dls -f linux-ext2 disk.dd > disk.dls

2) use strings utility to extract all the ascii strings in disk.dls.
   use '-t d' to print the byte offsets of the strings
   	strings -t d disk.dls > disk.str

3) grep the strings file
	grep abcdefg disk.str

4) assume the string offset is found to be 74594. next, determine
   what fragment, to do that, we need to know how big each fragment
   is :
   	dcat -s -f linux-ext2 disk.dd
   assume this shows that a fragment is 1024 bytes long.
   divide the offset by this number :
   	74594 / 1024 = 72
   this means that the string is located in the fragment 72 of the
   dls generated file. but the dls image is not the real file system,
   its all the unallocated units. to view the fragment from the dls
   image :
   	dd if=disk.dls bs=1024 skip=72 count=1 | less

5) next we use dcalc to identify the block in the original image. dcalc
   will return the address in the original image when given the address
   in the dls generated image. the '-u' flag shows that the address is
   a dls-address. the '-d' flag is for dd-addresses.
   	dcalc -f linux-ext2 -u 72 disk.dd
   assume it says the location in the original image is 170. to view the
   contents of this fragment :
   	dcat -f linux-ext2 disk.dd 170

6) to see if there is an inode for this fragment :
	ifind -f linux-ext2 -a disk.dd 170
   assume it says inode 15.
   to get more information about inode 15 :
   	istat -f linux-ext2 disk.dd 15

7) to see if there is a file that is associated with this inode
	ffind -f linux-ext2 -a disk.dd 15
   an asterix indicates that the file is deleted.
----------

----- fls (@Stake Sleuth Kit)
to view all deleted files in an image :
	fls -f linux-ext2 -rd disk.dd
-r for recursive and -d for deleted.

on some systems, the file contents may be recovered, depending on system
activity, but on systems like solaris, recovering is not quite easy.

sample output :
	d/d * 232: /dirname1
	r/d * 233: /filename1
* indicates that the fiile is deleted, and 232, 233 are inode numbers.
its possible to do an 'istat' to see the inode meta-data.
----------