First page Back Continue Last page Summary Graphics

The HoneyNet Forensic Challenge --Analysis & Findings

Disk Inode Analysis and Recovery with debugfs
List of deleted inodes
# /sbin/debugfs honeypot.hda?.dd -R lsdel > hda?.lsdel.out
Produce a list of files within directories from the lsdel output
# awk '$4 == 0 { print "ls -l <"$1">" | "/sbin/debugfs \
honeypot.hda?.dd" }' \
- hda?.lsdel.out >> hda?.del_dirs.out

Notes:

debugfs mini-HOWTO's

Ext2fs-Undeletion
Ext2fs-Undeletion-Dir-Struct

not all inodes are identified by the above, also need to find those deleted inodes that are not in the hda?.del_dirs.out files

See my HoneyNet submission for details.

The HoneyNet Forensic Challenge --Analysis & Findings

Disk Inode Analysis and Recovery with debugfs

List of deleted inodes

# /sbin/debugfs honeypot.hda?.dd -R lsdel > hda?.lsdel.out

Produce a list of files within directories from the lsdel output

# awk '$4 == 0 { print "ls -l <"$1">" | "/sbin/debugfs \

honeypot.hda?.dd" }' \

Notes: