ZFS deleted files r...
 
Notifications
Clear all

ZFS deleted files recovery

MazenX
(@mazenx)
New Member

Need help with finding tools to recover deleted files or recover deleted files metadata only on ZFS file system. The Sleuth Kit doesn't support ZFS as far as I know. The tool better to run on solaris, because storage is in tens of TB and taking image is not option.

Quote
Topic starter Posted : 27/05/2016 2:23 pm
Eugene_777
(@eugene_777)
New Member

I have the same problem. I need to recover deleted files. I have ZFS pool amount 6TB. I created images of hard disks, connected in FTKImager and added to virtual box. Then run virtual box. OS was load and i could see data. But I don't know how to create image from zfs pool and examine it in FTK or X-way.

ReplyQuote
Posted : 02/07/2017 3:18 am
Bunnysniper
(@bunnysniper)
Active Member

Can you make a physical copy of the hard drive? If yes, i would use FreeBSD to recover the files. FreeBSD speaks ZFS and you can compile foremost and scalpel from source easily. Or use the precompiled binary from the packages. dd should be your friend to create a raw dd file from ZFS, if you want to analyse it in any other operating system. /etc/fstab will be helpful to mount the external drive in ro mode.

This would be my path to a possible recovery. And i would check if X-Ways Forensic can handle the ZFS file system.

Good luck!

ReplyQuote
Posted : 02/07/2017 7:32 pm
Eugene_777
(@eugene_777)
New Member

I don`t know, but I seem that UFS Explorer doesn't work with zfs partition?

ReplyQuote
Posted : 02/07/2017 7:48 pm
Eugene_777
(@eugene_777)
New Member

Bunnysniper, I'm not be able to do physical copy of hard disk. But i have made files images as i wrote above and load their in virtual box. How i can do dd image all zpool and move this image on my phisical machine?

What is differnts my method from you?

ReplyQuote
Posted : 02/07/2017 8:01 pm
Bunnysniper
(@bunnysniper)
Active Member

What is differnts my method from you?

I would use FreeBSD for file carving. It understands ZFS and u can use open-source file carving software. As i understand u want to recover files and it would do it with FreeBSD.
best regards,
Robin

ReplyQuote
Posted : 03/07/2017 7:20 pm
UnallocatedClusters
(@unallocatedclusters)
Senior Member

1. Download FreeBSD .ISO file from here https://download.freebsd.org/ftp/snapshots/amd64/amd64/ISO-IMAGES/12.0/

2. Install the downloaded .ISO file to a USB drive to create a Live USB using PenDriveLinux https://www.pendrivelinux.com/universal-usb-installer-easy-as-1-2-3/

OR

2. Purchase a FreeBSD DVD or USB drive with FreeBSD already installed from OSDISC https://www.osdisc.com/products/freebsd

OR

2. Burn the FreeBSD .ISO file to a DVD

3. Boot the DVD to FreeBSD in your Virtual Box software

OR

4. Boot your forensic workstation to FreeBSD using the DVD or Live USB drive

Use the tools with FreeBSD as described by BunnySniper

ReplyQuote
Posted : 03/07/2017 9:28 pm
Eugene_777
(@eugene_777)
New Member

Bunnysniper, UnallocatedClustersI installed FreeBSD on Virtual Machine, but what's next?
I connected my images to my VM. I was trying mount zpool but OS refused it, because zpool has the same mounting point as FreeBSD (e.g. zpool has the mount point zpool/var and FreeBSD has the mount point /var). Before I was trying same actions, but I was using Ubuntu. I changed one parameter and Ubuntu agree to mount my zpool but I got to mix, because data of zpool mixed with data of folder Ubuntu (e.g. zpool mount point zpool/var mixedthe mount point /var of Ubuntu). I hope we got me.

How to right connect zpool that zpool didn't has a changes? Which are tools to use for repair deleted data? How to do the image zpool that it be possible to exam on, for example, X-way?

Clarify these question for me, please. Generally, I got what I need to do, but I need to know more exactly, because I'm a little confused.

Thanks in advance for your help.

ReplyQuote
Posted : 15/07/2017 8:24 pm
jaclaz
(@jaclaz)
Community Legend

Bunnysniper, UnallocatedClustersI installed FreeBSD on Virtual Machine, but what's next?

It seems to me like Unallocated Clusters suggested a Live DVD/USB stick and not an install. ?

jaclaz

ReplyQuote
Posted : 15/07/2017 10:48 pm
Eugene_777
(@eugene_777)
New Member

Bunnysniper, UnallocatedClustersI installed FreeBSD on Virtual Machine, but what's next?

It seems to me like Unallocated Clusters suggested a Live DVD/USB stick and not an install. ?

jaclaz

Yes, it's. But what is different, whether I will use Live DVD/USB stick with FreeBSD or it will install FreeBSD on separate virtual disk?

ReplyQuote
Posted : 16/07/2017 12:40 pm
jaclaz
(@jaclaz)
Community Legend

Yes, it's. But what is different, whether I will use Live DVD/USB stick with FreeBSD or it will install FreeBSD on separate virtual disk?

I don't know[1], but generally speaking when attempting to follow a suggestion the "recommended" approach is to follow it EXACTLY, without introducing ANY change to the suggestion, particularly if the suggestion is related to something with which you don't have familiarity or experience.

ONLY when (and if) the suggestion, implemented EXACTLY as described fails (for whatever reasons) one can try introducing variations (if it works, it just works so there is no need to introduce them, uness you take the occasion for doing further, different experiments).

jaclaz

[1] but while I still don't know, I can easily guess that a Live *something* is designed for "external" access and implemented as being not intrusive on the internal machine hard disks, so *somehow* it should (may) avoid the issue of the overlapping of the /var (that you just experienced) and possibly other issues in the mounting process which you did not (yet) find out.

ReplyQuote
Posted : 16/07/2017 2:12 pm
passcodeunlock
(@passcodeunlock)
Senior Member

With ZFS you should have previous snapshots, just grab your files from there ?!

ReplyQuote
Posted : 16/07/2017 3:19 pm
Share:
Share to...