±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 33057
New Yesterday: 5 Visitors: 205

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

RSS Feed Widget

±Latest Webinars

ZFS deleted files recovery

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2 
  

Re: ZFS deleted files recovery

Post Posted: Mon Jul 03, 2017 2:28 pm

1. Download FreeBSD .ISO file from here: download.freebsd.org/f...AGES/12.0/

2. Install the downloaded .ISO file to a USB drive to create a Live USB using PenDriveLinux: www.pendrivelinux.com/...-as-1-2-3/

OR

2. Purchase a FreeBSD DVD or USB drive with FreeBSD already installed from OSDISC: www.osdisc.com/products/freebsd

OR

2. Burn the FreeBSD .ISO file to a DVD

3. Boot the DVD to FreeBSD in your Virtual Box software

OR

4. Boot your forensic workstation to FreeBSD using the DVD or Live USB drive

Use the tools with FreeBSD as described by BunnySniper  

UnallocatedClusters
Senior Member
 
 
  

Re: ZFS deleted files recovery

Post Posted: Sat Jul 15, 2017 1:24 pm

Bunnysniper, UnallocatedClustersI installed FreeBSD on Virtual Machine, but what's next?
I connected my images to my VM. I was trying mount zpool but OS refused it, because zpool has the same mounting point as FreeBSD (e.g. zpool has the mount point zpool/var and FreeBSD has the mount point /var). Before I was trying same actions, but I was using Ubuntu. I changed one parameter and Ubuntu agree to mount my zpool but I got to mix, because data of zpool mixed with data of folder Ubuntu (e.g. zpool mount point zpool/var mixedthe mount point /var of Ubuntu). I hope we got me.

How to right connect zpool that zpool didn't has a changes? Which are tools to use for repair deleted data? How to do the image zpool that it be possible to exam on, for example, X-way?

Clarify these question for me, please. Generally, I got what I need to do, but I need to know more exactly, because I'm a little confused.

Thanks in advance for your help.  

Eugene_777
Member
 
 
  

Re: ZFS deleted files recovery

Post Posted: Sat Jul 15, 2017 3:48 pm

- Eugene_777
Bunnysniper, UnallocatedClustersI installed FreeBSD on Virtual Machine, but what's next?


It seems to me like Unallocated Clusters suggested a Live DVD/USB stick and not an install. Confused

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: ZFS deleted files recovery

Post Posted: Sun Jul 16, 2017 5:40 am

- jaclaz
- Eugene_777
Bunnysniper, UnallocatedClustersI installed FreeBSD on Virtual Machine, but what's next?


It seems to me like Unallocated Clusters suggested a Live DVD/USB stick and not an install. Confused

jaclaz


Yes, it's. But what is different, whether I will use Live DVD/USB stick with FreeBSD or it will install FreeBSD on separate virtual disk?  

Eugene_777
Member
 
 
  

Re: ZFS deleted files recovery

Post Posted: Sun Jul 16, 2017 7:12 am

- Eugene_777


Yes, it's. But what is different, whether I will use Live DVD/USB stick with FreeBSD or it will install FreeBSD on separate virtual disk?


I don't know[1], but generally speaking when attempting to follow a suggestion the "recommended" approach is to follow it EXACTLY, without introducing ANY change to the suggestion, particularly if the suggestion is related to something with which you don't have familiarity or experience.

ONLY when (and if) the suggestion, implemented EXACTLY as described fails (for whatever reasons) one can try introducing variations (if it works, it just works so there is no need to introduce them, uness you take the occasion for doing further, different experiments).

jaclaz

[1] but while I still don't know, I can easily guess that a Live *something* is designed for "external" access and implemented as being not intrusive on the internal machine hard disks, so *somehow* it should (may) avoid the issue of the overlapping of the /var (that you just experienced) and possibly other issues in the mounting process which you did not (yet) find out.
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 


Last edited by jaclaz on Sun Jul 16, 2017 9:06 am; edited 1 time in total

jaclaz
Senior Member
 
 
  

Re: ZFS deleted files recovery

Post Posted: Sun Jul 16, 2017 8:19 am

With ZFS you should have previous snapshots, just grab your files from there ?!
_________________
Passcodeunlock - mobile/tablet screen unlocking
passcodeunlock.com 

passcodeunlock
Senior Member
 
 

Page 2 of 2
Go to page Previous  1, 2