Data recovery 101 Q...
 
Notifications
Clear all

Data recovery 101 Question on XFS partition  

  RSS
honor_the_data
(@honor_the_data)
New Member

I'm working on a case where I need data from logs files that have rolled off a Linux server because log retention is 30 days and the server was compromised at least 35 days before the issue was discovered. There are no backups and logs were only stored locally, so as far as I know the only remaining option for pinpointing how the attacker got it is to try and recover older logs.

I had the sysadmin create an image of the XFS partition (/dev/mapper/sdc2-root) that contained /var/log and loaded up the image in EnCase 8.08. I'm puzzled because I am not seeing any recover options in processing menu.

1) Do I need an image of the entire disk, rather than just the partition, in order to attempt data recovery?
2) Has anyone trying this with XFS and EnCase 8?
3) Any other suggestions for other tools I should try?

Quote
Posted : 15/03/2019 12:17 am
watcher
(@watcher)
Active Member

I've never worked with XFS. I'm not aware that Encase handles XFS.

Now that I've established that I have not done this, the approach I would start with is

Try running PhotoRec against the partition. Contrary to it's name and roots, it's a very capable general purpose file carver. More importantly, it is not dependent upon the file system and may be able to recover files from XFS.

Similarly, Bulk Extractor may be able to pull things out of unknown file systems.

There is a Chinese company that advertises tools for XFS, Salvation Data

Good luck, and let us know the outcome!

ReplyQuote
Posted : 15/03/2019 1:35 am
jaclaz
(@jaclaz)
Community Legend

I've never worked with XFS.

And that makes two of us.

@honor_the_data
Generally speaking, you are exiting the "forensics" and entering the "data recovery" realm, so you will be better served by looking for "recovery" programs/tools and not "forensic" ones.

The SalvationData blog explaining some basics is this one
https://blog.salvationdata.com/2017/03/24/fragmented-files-recovery-based-on-xfs-file-system/

Photorec is an exceptionally good tool, and it is worth a try, though as with most file based tools it is likely that you will get (some) content losing filesystem metadata and file names/date, so that it may be "enough" or "not enough" for your actual scope.

You may want to try also the "old" Raise Data Recovery (I believe it is a a read-only-until-registered)

Trial limitations

The software copies files with the size under 256KB;

https://www.ufsexplorer.com/raise-data-recovery-xfs.php
https://www.sysdevlabs.com/product.php?id=rdrxfs&os=win

and if it works for the smaller files and "sees" the larger ones, get the "current" version.

jaclaz

ReplyQuote
Posted : 15/03/2019 9:53 am
mscotgrove
(@mscotgrove)
Senior Member

In theory, it is not possible to recover deleted XFS

With my cnwrecovery.com I have had some success. The program does make guesses as to what an iNode points to, so sometimes works, and sometimes fails.

You need to use the mode to scan all iNodes - can take a few hours with a large drive

If you require file names and dates, it is worth try with the demo (saves logs, but no files). I you just want simple, unfragmented files, file carving is a possible way forward.

ReplyQuote
Posted : 17/03/2019 3:01 am
minime2k9
(@minime2k9)
Active Member

Again never has an XFS partition, however X-Ways does support it
http//www.x-ways.net/forensics/

If they support it, I'm pretty sure you can carve files using it!

ReplyQuote
Posted : 17/03/2019 7:47 pm
hommy0
(@hommy0)
Member

EnCase 8.08 has listed support for XFS, however I have never worked with this file system.

What are you seeing in EnCase, when you say "I am not seeing any recover options in processing menu"

Also do you have any folder structure displayed within EnCase?

Regards

ReplyQuote
Posted : 18/03/2019 11:12 am
honor_the_data
(@honor_the_data)
New Member

EnCase 8.08 has listed support for XFS, however I have never worked with this file system.

What are you seeing in EnCase, when you say "I am not seeing any recover options in processing menu"

Also do you have any folder structure displayed within EnCase?

Regards

I see the file structure in EnCase and can access the allocated folders/files just like in a typical case (can click through folders, reac contents of log files, share the data to the examiner host system, etc.).

Because of this, I know that EnCase 8.08 does support XFS, at least to some extent.

i am currently running the file carver to see if anything can be carved out from the partition.

ReplyQuote
Posted : 18/03/2019 4:28 pm
hommy0
(@hommy0)
Member

In addition to the file carver, the following enscript may also be of benefit

https://www.guidancesoftware.com/app/Search-and-Bookmark-Specific-Data-Types

You can specify the file type by header (which can be imported from the file-types table)

Regards

ReplyQuote
Posted : 18/03/2019 5:25 pm
Share: