hi friends,
i am not approaching a computer forensics examination, but maybe, you could help me..tonight something goes wrong (an hardware issue.. -.-) and our mailserver is death (now is up again..)
The problem is that when we running fsck over that disk, he stored "everything" he find in lost+found…
with "strings -f -t x | grep Return-Path"
i've discovered every file and Offset where email seems to start (is this statement correct?) but i've some problem to determine where an email end (to write some piece of code to extract them from there…).
By watching Offsets i've realized that some message distance is 10000h (65536d) while others 1000 (4096d) … other distance are completely different… /
mmm, should i think that every email ends with
NextPart_000_00DA_01C7B4F2.A69F6DE0– ?
well, this is just only ONE message, however this is a standard format..
or it is only how MIME messages ends? /
NextPart_ fixed string
xxx_ 3 chars followed by _
xxxx_ 4 chars followed by _
xxxxxxxx. 8 chars followed by .
xxxxxxxx– 8 chars followed by –
what do u think? /
any suggestion to recover this email in lost+found files?
how can identify exactly where an email start and finish?
is there some other voodoo spell i can try P, or software which accomplish exactly this issue?
Thanks in advance