I just "found" kdirstat for KDE. It is a very nice program, that does have a Windows clone called WinDirStat. To install this program using Kubuntu, just use
$ sudo apt-get install kdirstat
and use the CLI to invoke it using kdirstat. There is no menu item..at least one didn't show up for me.
Sometimes, it becomes necessary to recover deleted files from an NTFS image. Using linux, a free utility called ntfsundelete can be used.
If the image is still mounted, you will need to unmount it:
$ sudo umount tmpmount
Then, you will want to use the losetup utility to associate a loop with a regular file (our image):
$ sudo losetup -o 15443968 /dev/loop0 /media/2Big/hd.img
The -o is the offset calculated from the last post (the start of the partition listed in fdisk * 512). The ntfsundelete utility can then be used:
$ ntfsundelete -s /dev/loop0
You can either copy the image to a hard drive, or mount it in Linux and examine it. To mount an image of an entire drive, first examine the partitions using fdisk:
$ sudo fdisk -u -l /media/2Big/hd.img
In this example, hd.img is an image file created earlier on a USB drive named 2Big.
You should see something similar to this:
Disk /dev/sdc: 250.0 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0004034f
Device Boot Start End Blocks Id System
It is very important when investigating a security incident to work with a copy of the hard drive, and not the original. It is equally important to work with an unaltered copy of the drive. All that is needed is a place to store the image, a USB or system drive, and a working Linux setup. This can be an Ubuntu live CD.
First, you must see where your drives are:
$ sudo fdisk -l
Disk /dev/sda: 250.0 GB, 250059350016 bytes
255 heads, 63 sectors/track, 30401 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Disk identifier: 0x0008558e
