We had a great class the other night, and one topic we discussed really jumped out at me. So, I'm organizing my notes in hopes that a) I don't forget what I learned, and b) these notes can help someone else. We were discussing methodologies to return data from the file system at the logical and physical layers. Here's one set of procedures we followed:
1. Image the hard drive.
2. Create a time line (a two-step process):
a. For unix, run: fls -m / -r /path/to/file.img > /path/to/file.bodyfile
For windows, run: fls -m C: -r /path/to/file.img > /path/to/file.bodyfile
b. run mactime -d -b /path/to/file.bodyfile > /path/to/timeline_name.csv
(I'm partial to the "-d" switch to produce a time line that's in a csv format.)
3. As you search through the time line, you can look for orphaned and deleted fils. Note the ones you would like to potentially recover, and be sure to jot down the inodes associated with those files.
4. Run icat, passing the inode number: icat -r /path/to/file.img [inode_number] > unknown_file
5. run: file unknown_file -- this will give the file type (if it is determinable)
6. run: strings unknown_file -- this will show any of the readable strings in the file (send to a file if you need to do further investigation, or there is a lot of data.)
Cool, cool stuff. icat is part of The Sleuthkit.