I am attempting to recover data from a Linux HDD (EXT 4) and after processing, FTK reports no deleted files on the drive whatsoever. My research indicates that Linux partitions indeed are capable of having data recovered just like NTFS and FAT – so how can this possibly be that there's not even one single file that reports as "deleted"?
Clarify please. FTK isn't showing you metadata related to deleted files (old inodes, directory entries, etc), or FTK carved for deleted files and didn't find any?
Terry
Thanks, Terry. Turns out, according to FTK's documentation
"Deleted files from ext3 volumes are not recovered because ext3 zeroes out a file’s indirect block pointers when it is deleted."
Same applies for EXT4. So, therefore, the only way to pull deleted files is to carve them out. Unfortunately, the filetype I am after does not have a pre-made carver. So, I have made my own, and hopefully I did it right.
Time will tell.
What about the journal file? Couldn't it be used to track down the deleted files and the references to their direct/indirect data blocks?
I don't know anything about the journal file with respect to the EXT4 file format. Do you have any links to references I could check out to learn more about it?
Thank you.
I don't know anything about the journal file with respect to the EXT4 file format. Do you have any links to references I could check out to learn more about it?
Thank you.
Unfortunately no, I know a bit how EXT2/EXT3 work (I wrote a library for EXT3 some time ago) but I never checked out the journal structure. There's
Thank you, I will look into it!