linux tools

Kdirstat

I just "found" kdirstat for KDE. It is a very nice program, that does have a Windows clone called WinDirStat. To install this program using Kubuntu, just use

$ sudo apt-get install kdirstat

and use the CLI to invoke it using kdirstat. There is no menu item..at least one didn't show up for me.

kdirstat overview

Recovering deleted files from NTFS image

Sometimes, it becomes necessary to recover deleted files from an NTFS image. Using linux, a free utility called ntfsundelete can be used.

If the image is still mounted, you will need to unmount it:

$ sudo umount tmpmount

Then, you will want to use the losetup utility to associate a loop with a regular file (our image):

$ sudo losetup -o 15443968 /dev/loop0 /media/2Big/hd.img

The -o is the offset calculated from the last post (the start of the partition listed in fdisk * 512). The ntfsundelete utility can then be used:

$ ntfsundelete -s /dev/loop0

Examining an image

You can either copy the image to a hard drive, or mount it in Linux and examine it. To mount an image of an entire drive, first examine the partitions using fdisk:

$ sudo fdisk -u -l /media/2Big/hd.img

In this example, hd.img is an image file created earlier on a USB drive named 2Big.

You should see something similar to this:

Disk /dev/sdc: 250.0 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0004034f

Device Boot Start End Blocks Id System

Imaging a drive

It is very important when investigating a security incident to work with a copy of the hard drive, and not the original. It is equally important to work with an unaltered copy of the drive. All that is needed is a place to store the image, a USB or system drive, and a working Linux setup. This can be an Ubuntu live CD.

First, you must see where your drives are:

$ sudo fdisk -l

Disk /dev/sda: 250.0 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0008558e

Subscribe to RSS - linux tools