An Avi Video Recovery with SleuthKit

A place to ask the community for help with using Autopsy.

Moderator: carrier

An Avi Video Recovery with SleuthKit

Postby miroRR » Mon May 11, 2015 5:47 pm

This was a post on Gentoo Forums:
A[n Instance of] Basic Data Recovery with SleuthKit
https://forums.gentoo.org/viewtopic-t-1016618.html
=========================================================
(now to be vacated, with instead a link to here)

Renaming it with a more appropriate title:
An Avi Video Recovery with SleuthKit
=========================================================

This POST will still be worked on, as far as the circumstances under my control, but it's readable already. A detail or two is left to do, but when other posts have been worked through.

This whole topic I started, originally, not here, but on
Gentoo Forums where I posted it on May 6, not the day you see that I posted it here on the Sleuthkit Forum.
------------------

I had created a directory:

Code: Select all
mkdir /Cmn/MyVideos/H_All/Oth_1/DEL


and while sifting through various files, I put in there a few files that I would delete later, as I couldn't make up my mind that I really wanted to delete them, and set the deletion to come into effect for later, at 10000s from then, like this:

Code: Select all
sleep 10000 && rm -v /Cmn/MyVideos/H_All/Oth_1/DEL/* &


Then I worked on, and mistakenly put into that directory a few files that I wouldn't want to delete, but those near three hours passed, and while I was doing unrelated work, I noticed the output from the background job that I issued before:

Code: Select all
ukra@uabox $ removed ‘DEL/HRT3_F0328_1802.avi’
removed ‘DEL/Z1_F0325_Zoom.avi’
removed ‘DEL/Z1_F0326_BraniteljiDanas_ZoricaGregurić_ZoranGrujić_Zadruge.avi’
removed ‘DEL/Z1_F0331_MarkovTrg_MihovilBogoljubMatković_IvanHrstić.avi’
removed ‘DEL/Z1_F0331_Zoom_Lovrić_Škaričić.avi’



Later I even deleted the DEL:

Code: Select all
rmdir /Cmn/MyVideos/H_All/Oth_1/DEL


I am having a much more advanced issue that I have been struggling with for much longer, and it is compounded with censorship on me, which is just an instance of typical censorship by the current traitor regime in power in Croatia, but which makes it much harder for me to dedicate my efforts entirely to the technical issues of the dd-overwritten luks volume recovery:

Recover partly overwritten luks volume?
http://forums.gentoo.org/viewtopic-t-1004014.html

[
WARNING: this is a digression, related only because it will be good to know what might have caused trouble if I were to be missing to complete the post. Otherwise, if about data recovery kind reader's only interest is, pls. skip and continue reading after the `]' below.

It makes it much harder for me because the censorship is being battled against by revealing it, see my idea for a program:

The uncenz
http://github.com/miroR/uncenz

, and also by help from free uncensored people ...that sometimes never arrives, uh!)

My uncez (primitive) program helped me a lot to prove and remove the censorship (uncenzorize it), the censorship for which I had been unable of registering to SleuthKit Forum, see:

Recover partly overwritten luks volume?
https://forums.gentoo.org/viewtopic-t-1 ... ml#7724054

and

[ ditto ]
https://forums.gentoo.org/viewtopic-t-1 ... ml#7734200

]

I have, however reached at the understanding there, on the issue of my partly overwritten luks volume, that the issue is so advanced that I will anyway need very thorough understanding of at least all the basic functionality of SleuthKit to accomplish anything in that luks volume recovery.

So the recovery of these files in the top of this page in an unrelated system to that luks recovery issue, and on an unrelated partition, will be a good practice to try and get a good understanding of the SleuthKit and its ways.

Firstly about the partition where those few files have been deleted. It's not mounted, but it looks very similar to some other of the partitions in my other systems where I store data, so had it been mounted, I can, looking at those other systmes, by comparison, confidently say that it would, were it now mounted, currently look more or less like this:

Code: Select all
# df -h
Filesystem   Size  Used Avail Use% Mounted on
[..]
/Cmn         1.7T  1.6T  13G  99% /export/data
[...]
#


It's an ext4 partition.

It is possible I won't get all those files undeleted because of the little free space left, but if I get any, it'll be fine learning for me.

However, I seem to have started somewhat wrong, as I'll try and explain below, and am already a little puzzled with a few things.

I set the autopsy like this:

# autopsy -p 9999 192.168.3.3 &

so I can view it from a different host in my network (the host where the partition is mounted being 192.168.3.2).

After I created the case, I first looked up if I could see those files in the File Analysis, and I couldn't. The deleted directory DEL I was able to find, and it looks like this:

Code: Select all
Name       Written                   Accessed            Changed            Size      UID     GID      Meta

DEL/    2015-05-04 00:32:57    2015-05-03 22:02:25    2015-05-04 00:32:57    0        1000    1000    24797188


and it was in bright red, meaning recoverable. However I don't need it; I need what was in that directory...

(That is, I don't need it unless the only way to really get some info about how to recover those files is first recovering that direcory or something to that effect. Then I sure do need it... New territory all of this for me.)

The only thing, under which was a link in the above line, was 24797188 (under Meta), but following that link didn't give any more info. There is more about that directory in a later post in this topic:

( this same topic you're reading )
viewtopic.php?f=6&t=2441#p2629

Let me first show you how this case that I had opened for this problem, looks like, by listing and pasting all that is currently in the Evidence Locker (not so much), and then I will explain where I may have gone wrong, and other things that puzzle me.

Code: Select all
uabox ~ # ls -ltrR /mnt/g5n-C/autopsy/g5nCmn/g5n/
/mnt/g5n-C/autopsy/g5nCmn/g5n/:
total 24
drwxr-xr-x 2 root root 4096 2015-05-05 11:39 reports
drwxr-xr-x 2 root root 4096 2015-05-05 11:39 output
drwxr-xr-x 2 root root 4096 2015-05-05 11:39 mnt
drwxr-xr-x 2 root root 4096 2015-05-05 11:43 logs
drwxr-xr-x 2 root root 4096 2015-05-05 11:43 images
-rw-r--r-- 1 root root  169 2015-05-05 11:43 host.aut

/mnt/g5n-C/autopsy/g5nCmn/g5n/reports:
total 0

/mnt/g5n-C/autopsy/g5nCmn/g5n/output:
total 0

/mnt/g5n-C/autopsy/g5nCmn/g5n/mnt:
total 0

/mnt/g5n-C/autopsy/g5nCmn/g5n/logs:
total 24
-rw-r--r-- 1 root root  487 2015-05-06 16:23 host.log
-rw-r--r-- 1 root root 4435 2015-05-06 16:55 miroR.log
-rw-r--r-- 1 root root 8696 2015-05-06 16:55 miroR.exec.log

/mnt/g5n-C/autopsy/g5nCmn/g5n/images:
total 0
lrwxrwxrwx 1 root root 19 2015-05-05 11:43 vgn-Cmn -> /dev/mapper/vgn-Cmn
uabox ~ #


As you can see there are only three files currently to paste their contents in here, and all the story so far developed will be told.

Actually I won't paste the contents manually, I'll list each file first, and then cat its content in this file that I am preparing for posting.

I'll actually use this command:
Code: Select all
export Prepare="/Cmn/gX/Tmp.d_1/SK_150506_tsk_recover.txt" ; echo $Prepare ;
for i in $(ls -1 /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/) ;
do echo /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/$i >> $Prepare ;
cat /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/$i >> $Prepare ; read FAKE ;
done ;


`Prepare' is this text when it was only a draft.

I had it on one line, and worked fine. I think it would have worked split like that in those five lines, to which I split it for presentation purposes.

Anyhow, that got me all this output below in this file that should soon be posted onto Gentoo Forums. (I have however shortened the output but cutting out the lines that are really too much noise only, because I really went the wrong way):

Code: Select all
/mnt/g5n-C/autopsy/g5nCmn/g5n/logs/host.log
===========================================

Code: Select all
Tue May  5 11:39:13 2015: Host g5n added to case g5nCmn
Tue May  5 11:39:22 2015: Host g5n opened by miroR
Tue May  5 11:43:53 2015: Sym Linking image /dev/mapper/vgn-Cmn into g5nCmn:g5n
Tue May  5 11:43:53 2015: Image added: image img1 raw  images/vgn-Cmn
Tue May  5 11:43:53 2015: Volume added: part  vol1 img1   0  0    ext  /1/
Tue May  5 11:44:44 2015: Image vol1 opened by miroR
Wed May  6 16:23:41 2015: Host g5n opened by miroR
Wed May  6 16:23:45 2015: Image vol1 opened by miroR

Code: Select all
/mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.exec.log
=================================================

Code: Select all
Tue May  5 11:43:24 2015: '/usr/bin/img_stat' -t "/dev/mapper/vgn-Cmn"
Tue May  5 11:43:24 2015: '/usr/bin/fsstat' -t -i raw "/dev/mapper/vgn-Cmn"
Tue May  5 11:43:53 2015: '/usr/bin/img_stat' -t "/dev/mapper/vgn-Cmn"
Tue May  5 11:43:53 2015: '/usr/bin/fsstat' -o 0 -i raw -f ext "/dev/mapper/vgn-Cmn"
Tue May  5 11:43:53 2015: /bin/ln -s '/dev/mapper/vgn-Cmn' '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Tue May  5 11:44:15 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Tue May  5 11:47:04 2015: '/usr/bin/fls' -f ext -la  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 11:48:26 2015: '/usr/bin/fls' -f ext -ldr  -s '0'  -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 11:48:48 2015: '/usr/bin/fls' -f ext -ldr  -s '0'  -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 11:55:47 2015: '/usr/bin/ifind' -f ext -n 'MyVideos/H_All/Oth_1/DEL'  -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Tue May  5 11:55:48 2015: '/usr/bin/istat' -f ext  -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188
Tue May  5 11:55:48 2015: '/usr/bin/fls' -f ext -la  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188
Tue May  5 11:56:07 2015: '/usr/bin/ifind' -f ext -n 'MyVideos/H_All/Oth_1/'  -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Tue May  5 11:56:07 2015: '/usr/bin/istat' -f ext  -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24780805
Tue May  5 11:56:07 2015: '/usr/bin/fls' -f ext -la  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24780805
Tue May  5 11:56:45 2015: '/usr/bin/ils' -f ext -e -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188
Tue May  5 11:56:46 2015: '/usr/bin/ffind' -f ext -a -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188
Tue May  5 11:56:47 2015: '/usr/bin/icat' -f ext -r -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 | '/usr/bin/file' -z -b -
Tue May  5 11:56:47 2015: '/usr/bin/icat' -f ext -r -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 | '/usr/bin/md5sum'
Tue May  5 11:56:47 2015: '/usr/bin/icat' -f ext -r -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 | '/usr/bin/sha1sum'
Tue May  5 11:56:47 2015: '/usr/bin/istat' -f ext  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188
Tue May  5 11:59:44 2015: '/usr/bin/fls' -f ext -lpr  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
[...]
Tue May  5 12:05:58 2015: '/usr/bin/fls' -f ext -la  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24772609
Tue May  5 12:06:11 2015: '/usr/bin/fls' -f ext -la  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24772610
Tue May  5 12:06:22 2015: '/usr/bin/fls' -f ext -la  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24780805
[...]
Tue May  5 12:49:20 2015: '/usr/bin/fls' -f ext -lpr  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 12:49:29 2015: '/usr/bin/fls' -f ext -lpr  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 12:53:57 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Tue May  5 12:53:57 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
[...]
Wed May  6 16:55:15 2015: '/usr/bin/ffind' -f ext -a -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188
Wed May  6 16:55:54 2015: '/usr/bin/icat' -f ext -r -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 | '/usr/bin/file' -z -b -
Wed May  6 16:55:54 2015: '/usr/bin/icat' -f ext -r -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 | '/usr/bin/md5sum'
Wed May  6 16:55:55 2015: '/usr/bin/icat' -f ext -r -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188 | '/usr/bin/sha1sum'
Wed May  6 16:55:55 2015: '/usr/bin/istat' -f ext  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 24797188


A few lines are cut out from miroR.exec.log above. I'm leaving intact miroR.log but I stress that I really grepped for text which is, as you can see above, the name of the file, and that text couldn't be found.

So, to kind reader, just skim quickly quite a few lines from this point.

Code: Select all
/mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.log
============================================

Code: Select all
Tue May  5 11:39:22 2015: Host g5n opened
Tue May  5 11:44:44 2015: vol1: volume opened
Tue May  5 11:47:04 2015: vgn-Cmn-0-0: Directory listing of /1/ (2)
Tue May  5 11:48:26 2015: vgn-Cmn-0-0: Listing all deleted files
Tue May  5 11:48:48 2015: vgn-Cmn-0-0: Listing all deleted files
Tue May  5 11:55:47 2015: vol1: Finding meta data address for MyVideos/H_All/Oth_1/DEL
Tue May  5 11:55:48 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/H_All/Oth_1/DEL/ (24797188)
Tue May  5 11:56:07 2015: vol1: Finding meta data address for MyVideos/H_All/Oth_1/
Tue May  5 11:56:07 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/H_All/Oth_1/ (24780805)
Tue May  5 11:56:45 2015: vgn-Cmn-0-0: Displaying details of Inode 24797188
Tue May  5 11:59:44 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331*
Tue May  5 12:01:37 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331_*
Tue May  5 12:01:50 2015: vgn-Cmn-0-0: Listing all files with Z1_F0330_*
Tue May  5 12:03:27 2015: vgn-Cmn-0-0: Listing all files with *Zoom_Lovrić*
Tue May  5 12:03:49 2015: vgn-Cmn-0-0: Listing all files with *Zoom_Lovri*
Tue May  5 12:04:32 2015: vgn-Cmn-0-0: Listing all files with *Zoom_L*
Tue May  5 12:04:47 2015: vgn-Cmn-0-0: Listing all files with *Zoom_*
Tue May  5 12:05:05 2015: vgn-Cmn-0-0: Listing all files with *Zoom*
Tue May  5 12:05:13 2015: vgn-Cmn-0-0: Directory listing of /1/ (2)
Tue May  5 12:05:22 2015: vgn-Cmn-0-0: Directory listing of /1/ (2)
Tue May  5 12:05:58 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/ (24772609)
Tue May  5 12:06:11 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/H_All/ (24772610)
Tue May  5 12:06:22 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/H_All/Oth_1/ (24780805)
Tue May  5 12:09:07 2015: vgn-Cmn-0-0: Listing all files with *_F0326*
Tue May  5 12:09:16 2015: vgn-Cmn-0-0: Directory listing of /1/ (2)
Tue May  5 12:09:37 2015: vgn-Cmn-0-0: Listing all files with *_F032*
Tue May  5 12:09:48 2015: vgn-Cmn-0-0: Listing all files with *F032*
Tue May  5 12:09:57 2015: vgn-Cmn-0-0: Listing all files with *F03*
Tue May  5 12:10:25 2015: vgn-Cmn-0-0: Listing all files with Z1_F0326_sAnitom.avi
Tue May  5 12:10:44 2015: vgn-Cmn-0-0: Listing all files with Z1_F0326_s*.avi
Tue May  5 12:10:52 2015: vgn-Cmn-0-0: Listing all files with Z1_F0326_s\*.avi
Tue May  5 12:11:01 2015: vgn-Cmn-0-0: Listing all files with Z1_F0326_*.avi
Tue May  5 12:11:57 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331_Lovrić_Škaričić.avi.avi
Tue May  5 12:12:16 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331_Lovrić_Škaričić.avi
Tue May  5 12:12:57 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331_Zoom_Lovrić_Škaričić.avi
Tue May  5 12:47:27 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331_\w*.avi
Tue May  5 12:47:37 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331\w*.avi
Tue May  5 12:47:54 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331[0-9a-zA-Z]*.avi
Tue May  5 12:48:03 2015: vgn-Cmn-0-0: Listing all files with Z1_F0330[0-9a-zA-Z]*.avi
Tue May  5 12:48:19 2015: vgn-Cmn-0-0: Listing all files with Z1_F0331[0-9a-zA-Z]*\.avi
Tue May  5 12:48:28 2015: vgn-Cmn-0-0: Listing all files with Z1_F0330[0-9a-zA-Z]*\.avi
Tue May  5 12:48:47 2015: vgn-Cmn-0-0: Listing all files with Z1_F03[0-9a-zA-Z]*\.avi
Tue May  5 12:49:06 2015: vgn-Cmn-0-0: Listing all files with /Z1_F03[0-9a-zA-Z]*\.avi/
Tue May  5 12:49:20 2015: vgn-Cmn-0-0: Listing all files with Z1_F03/[0-9a-zA-Z]*\.avi/
Tue May  5 12:49:29 2015: vgn-Cmn-0-0: Listing all files with Z1_F03/[0-9a-zA-Z]*/\.avi
Tue May  5 12:53:57 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi
Tue May  5 13:03:57 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi
Tue May  5 13:13:57 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi
Wed May  6 16:23:41 2015: Host g5n opened
Wed May  6 16:23:45 2015: vol1: volume opened
Wed May  6 16:23:51 2015: vgn-Cmn-0-0: Directory listing of /1/ (2)
Wed May  6 16:26:13 2015: vgn-Cmn-0-0: Directory listing of /1/$OrphanFiles/ (110059521)
Wed May  6 16:27:14 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/ (24772609)
Wed May  6 16:27:23 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/H_All/ (24772610)
Wed May  6 16:27:27 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/H_All/Oth_1/ (24780805)
Wed May  6 16:55:14 2015: vgn-Cmn-0-0: Displaying details of Inode 24797188


I'm posting it to get help, from them or from any knowledgeable unixer, and also if I (as I often do) solve it, that others may benefit from my experience too.

Before I try and explain where I may have gone wrong and what puzzles me, let me first tell about the files. They are real, and they have:
Code: Select all
Z1_F0325
Z1_F0326
Z1_F0331
Z1_F0331

the name of the TV station `Z1', the Zagrebian TV, in them, and the date (except that I use `F' for `2015', the current year). So the program I taped on my old Hauppauge TV-card was from end of month `03', March, from 25th to 31st. I phoned in in some of those programs, and I like to have it taped when I phone in. There's also real names in there. Just to give a human feel to the story.

But technically that's irrelevant.

Now where I went wrong, is after not finding any of those deleted files in the `File Analysis', and after trying bash regular expression searches like:

Code: Select all
Tue May  5 12:09:57 2015: vgn-Cmn-0-0: Listing all files with *F03*

and there's plenty others there, which all failed, I figured out, reading the help for `File Analysis', that the Autopsy interface for `File Analysis' uses perl regexp, and not the bash kind. So later I read `man perlrequick', but I already went the possibly wrong way.

There's very little else that I did on `Wed May 6', which is today, but there are searches still going on since.

Note: what is of limited use here, is how there were, without me having issued but one, three searches going on. Limited, because if it's a bug, it has only some value at present, because the Sleuthkit devs, I'm sure, will fix it for the future.

From /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.log:
Code: Select all
Tue May  5 12:53:57 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi
Tue May  5 13:03:57 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi
Tue May  5 13:13:57 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi


And see the same commands from /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.exec.log:
Code: Select all
Tue May  5 12:53:57 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Tue May  5 12:53:57 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
Tue May  5 13:03:57 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Tue May  5 13:03:57 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
Tue May  5 13:13:57 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Tue May  5 13:13:58 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'


And now let me show you, as I have `top' fired up all the time, and keep waiting for this possibly wrong attempt to finally be finishing, which it never yet shows any signs of...

This is a typical screenful:
Code: Select all
PARTUUIDttop - 18:11:27 up 35 days,  6:14,  3 users,  load average: 3.22, 3.23, 3.23
Tasks: 237 total,   4 running, 231 sleeping,   2 stopped,   0 zombie
%Cpu(s): 34.2 us,  4.1 sy,  0.0 ni, 46.6 id, 15.2 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem : 16385720 total,   703036 free,   851080 used, 14831604 buff/cache
KiB Swap: 20971516 total, 20893764 free,    77752 used. 15434868 avail Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                             
10129 root      20   0    6416     84      0 R  76.2  0.0   1322:27 srch_strings                       
10110 root      20   0    6420     88      0 R  67.9  0.0   1338:17 srch_strings                       
10086 root      20   0    6420     88      0 S  59.9  0.0 948:43.70 srch_strings                       
10109 root      20   0   29908    596    216 R   8.9  0.0 165:51.01 blkls                               
10128 root      20   0   29904    584    212 S   8.6  0.0 165:21.78 blkls                               
10085 root      20   0   29908    592    216 D   6.6  0.0  94:14.18 blkls                               
10111 root      20   0   12100   1044    424 S   2.3  0.0  33:48.57 grep                               
10130 root      20   0   12104   1068    444 S   2.3  0.0  33:40.49 grep                               
10087 root      20   0   12104   1048    424 S   1.7  0.0  18:21.48 grep                               
10091 root      20   0   24984   1172    560 R   0.7  0.0  10:25.17 top                                 
 1301 root       0 -20       0      0      0 S   0.3  0.0   1:39.53 kworker/4:1H                       
12433 root      20   0  175756  17536   3288 S   0.3  0.1   5:32.51 X                                   
31927 root      20   0       0      0      0 S   0.3  0.0   0:47.63 kworker/0:2                         
    1 root      20   0    4268    116     80 S   0.0  0.0   0:34.56 init                               
    2 root      20   0       0      0      0 S   0.0  0.0   0:22.93 kthreadd                           
    3 root      20   0       0      0      0 S   0.0  0.0   6:50.01 ksoftirqd/0                         
    5 root       0 -20       0      0      0 S   0.0  0.0


So it is minimally grep'ing, and on those 1.7T it is using some more of the CPU cycles for blkls, and the most of the CPU cycles for the srch_strings, but it is doing it via `|', a pipe, see again the miroR.exec.log above, and so none of it, just the searched string, will remain.

At least that's what I think it is doing, after I have reading more of the Autopsy and TSK documentation.

And anyway I should have concentrated my searches on the unallocated space!

But back those 30 hours from now, I didn't now how, and am not even certain now.

I now need to post this before the time is way beyond what is now today.
Last edited by miroRR on Tue May 19, 2015 10:48 pm, edited 4 times in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
(currently my most viewed topic in Gentoo Forums)
miroRR
 
Posts: 20
Joined: Sat May 09, 2015 1:21 pm

Re: An Avi Video Recovery with SleuthKit

Postby miroRR » Tue May 12, 2015 3:01 pm

This post was originally posted on Gentoo Forums on 2015-05-07 14:06+02:00

EDIT: I leave most of this post in case the report on the multiplying of searches is of any (limited) use.. Otherwise, kind reader, just skim through most of these.

It is different now:

Code: Select all
top - 11:47:22 up 35 days, 23:50,  3 users,  load average: 5.84, 5.99, 6.03
Tasks: 252 total,   2 running, 248 sleeping,   2 stopped,   0 zombie
%Cpu(s): 20.8 us,  3.1 sy,  0.0 ni, 33.7 id, 42.5 wa,  0.0 hi,  0.0 si,  0.0 st
KiB Mem : 16385720 total,   719992 free,   856244 used, 14809484 buff/cache
KiB Swap: 20971516 total, 20888104 free,    83412 used. 15429524 avail Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                               
 4151 root      20   0    6420    164     76 S  25.2  0.0  61:06.20 srch_strings                         
 4132 root      20   0    6420    168     84 R  23.5  0.0  64:40.62 srch_strings                         
10086 root      20   0    6420     88      0 S  20.5  0.0   1377:21 srch_strings                         
 4171 root      20   0    6420    132     44 S  20.2  0.0  57:21.69 srch_strings                         
 7944 root      20   0    6420     88      0 S  18.2  0.0 523:33.29 srch_strings                         
 7945 root      20   0    6420     88      0 S  18.2  0.0 565:22.88 srch_strings                         
 4131 root      20   0   29904   1144    768 S   3.6  0.0   9:06.74 blkls                                 
 4150 root      20   0   29904   1148    768 D   3.6  0.0   8:37.82 blkls                                 
 7942 root      20   0   29908    628    252 D   2.6  0.0 100:13.48 blkls                                 
 7943 root      20   0   29908    628    252 D   2.6  0.0  92:39.47 blkls                                 
10085 root      20   0   29908    560    184 D   2.6  0.0 147:42.02 blkls                                 
 4170 root      20   0   29908   1148    768 D   2.3  0.0   7:43.02 blkls                                 
 4152 root      20   0   11580    724    596 S   1.3  0.0   2:42.07 grep                                 
 4172 root      20   0   11584    748    616 S   1.0  0.0   2:27.05 grep                                 
10087 root      20   0   12104   1024    400 S   1.0  0.0  34:35.88 grep                                 
10091 root      20   0   25088   1236    592 R   1.0  0.0  16:26.14 top                                   
12433 root      20   0  177148  17996   3748 S   1.0  0.1   9:04.61 X                                     
 4133 root      20   0   11584    704    572 S   0.7  0.0   2:50.47 grep                                 
 1299 root       0 -20       0      0      0 S   0.3  0.0   2:05.53 kworker/2:1H           


And if I look up the logs, posting just what has changed:

Code: Select all
ls -ltrR /mnt/g5n-C/autopsy/g5nCmn/g5n/

Code: Select all
[...]
/mnt/g5n-C/autopsy/g5nCmn/g5n/logs:
total 24
-rw-r--r-- 1 root root  4750 2015-05-07 07:19 miroR.log
-rw-r--r-- 1 root root 10007 2015-05-07 07:19 miroR.exec.log
[...]
/mnt/g5n-C/autopsy/g5nCmn/g5n/output:
total 4
-rw-r--r-- 1 root root 47 2015-05-06 18:56 vgn-Cmn-0-0-0.srch


The one-liner in bottom first:
Code: Select all
cat /mnt/g5n-C/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-0.srch

Code: Select all
0||Z1_F0331_Zoom_Lovrić_Škaričić.avi|ascii


Diff from previous log, as I already posted it in the first post:
Code: Select all
diff /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.log.PREV /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.log
57,59d56
> Thu May  7 06:59:30 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi
> Thu May  7 07:09:30 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi
> Thu May  7 07:19:31 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi


Code: Select all
diff /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.exec.log.PREV /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.exec.log
74,81d73
> Wed May  6 18:56:47 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
> Wed May  6 18:56:47 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
> Thu May  7 06:59:30 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
> Thu May  7 06:59:30 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
> Thu May  7 07:09:30 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
> Thu May  7 07:09:31 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
> Thu May  7 07:19:31 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
> Thu May  7 07:19:32 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'


EDIT: Here is what my system is, if it influences the multiplying of searches:

Since I remember having had some issues with Autopsy on my system (grsec-hardened amd64 Gentoo), and seeing similar error in this attempt, I was wondering about the stage which I am at, and if I should go on, or quit waiting for the result (it's been just over two days this srch_strings is on).

Or is it now that I'm half way through, if the one-liner from the output folder, vgn-Cmn-0-0-0.srch said: "0||Z1_F0331_Zoom_Lovrić_Škaričić.avi|ascii"? That probably does mean a result of a search (`0': nothing found), and that that ascii search is done... And the time of that result (IIUC) is 2015-05-06 18:56, almost a day ago...

But why then did a new search start? I already had (this is part of what I meant "had some issues with Autopsy" above) the Autopsy interaction with Sleuthkit on my system somehow starting another time the MD5 calculation (just search for `md5.txt
' without quotes below and the link to that duplicate MD5 calculation is there)... Could this too be a duplicate, a duplicate search in this case?

And these are (at least two things) what I meant when I said that I may possibly be doing it wrong: you see that I am searching for that string, and one thing possibly wrong (that's the first thing, and I'm not sure if it's wrong) is that the string I search for is the name of the file, and I remember I once found where a lost text of mine was, but I wasn't searching for the name of the file containing text, but for the sting that appears only in the text itself...

And this is the second thing that I fear I'm doing wrong: I fear that this search won't help in the least to ease my later tries... I should have somehow dumped the unallocated space to be able to search in it (and I fear I can not do it now, not until this search is done)... EDIT: My fears were completely substantiated. No use whatsoever of those searches.

And so, after this search is done, the search and some info (but I really don't get exactly which info) will be stored to ease future searches, but since the:
Code: Select all
'/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'

is searching through a pipe, any new search by blkls will have to be done all over again, because, as I said I should have, but didn't know how back then (and I am not certain now either, but I'll give my understanding below) I the blkls is not extracting and storing anything other than temporarily, and piping it to grep...

My understanding now (and I'm really applying my best), is that I shouldn't have started that perl regex string search, as it's too long and giving too little result, and stored very little for future, but...

EDIT: This will later prove the right thing to have done instead:
But that I should have picked the "Keyword Search" from the other manu at the same level as the "File Analysis" in the main menu accessed through "Analyze" in the "Case Gallery", and...

And that I should have chosen from the "Keyword Search of Allocated and Unallocated Space" page that then opens the "Extract Unallocated".

Is my understanding above correct?

Are those processes, but same search that started:
Code: Select all
Thu May  7 06:59:30 2015

and:
Code: Select all
Thu May  7 07:09:30 2015

duplicates, and should I kill those new processes?
EDIT: Yes, I could and should have.

Should I go back and, as I said above, go for the "Extract Unallocated" rather than wait here at all, or should I rather wait for the remaining old (more than two days now chourning on) processes after I kill the new?

The current Autopsy issues that I haven't yet explained (I did have it previously:

Recover partly overwritten luks volume?
https://forums.gentoo.org/viewtopic-t-1 ... ml#7723732

where find:
Code: Select all
uabox ~ # cat /Cmn/autopsy/WCC070-luks-vol/ukrabox/md5.txt
3B7E4DF6DA0E8BB78283BB66F317689B   img1
3B7E4DF6DA0E8BB78283BB66F317689B   img2
uabox ~ #


), and this could be for similar reason.

EDIT START 2015-05-19 22:16+02:00 : Those sums that I pasted from the Gentoo Forums belong to a different recovery. But these were the sums of the attempt described here:

Code: Select all
g5n ~ # cat /export/h1/autopsy/g5nCmn/g5n/md5.txt
45C8AAC05AC5047FCFF4062A1B2D5C29   vol8
45C8AAC05AC5047FCFF4062A1B2D5C29   vol9
g5n ~ #

EDIT END

I'm browsing with `links -g http://<the address>/autopsy as I was given the address by Autopsy, for this other host in my network, as I explained in the first post of this topic.

After I started the search from the "File Analysis" section, hours later this error appears, and it keeps at it.

I can only manually copy the screen, no copy/past available for this in the links framebuffer browser:

this post was originally posted on Gentoo Forums on 2015-05-07 15:06+02:00
[code]
================ Error ===============
Error loading
http://<the host>/<some salt number>/autopsy?mod=<a really long string>...
Receive timeout
Cancel
======================================

The Error on top and the Cancel in bottom are clickable, but I never even tried to, remembering that I somehow got a duplicate work to go on the one last time linked above...

And I think that links screen is anyway unuseable. EDIT: Wrong! In such case, clicking (or hitting Enter on) `Cancel' is fine. I'm using another links instance for reading Help.

Whatever the reason why the links shows this timeout, I suppose it is somewhere in that interaction btwn Autopsy and Sleuthkit via the browser that the duplicate work started, the last time, and maybe this time as well.
Last edited by miroRR on Tue May 19, 2015 9:01 pm, edited 4 times in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
(currently my most viewed topic in Gentoo Forums)
miroRR
 
Posts: 20
Joined: Sat May 09, 2015 1:21 pm

Re: An Avi Video Recovery with SleuthKit

Postby miroRR » Tue May 12, 2015 3:16 pm

Since I'm still figuring out the workings of Autopsy and Sleuthkit, I'll go
slowly, so I don't get lost.

I opened the browser with this command:

Code: Select all
links -g http://g5n:9999/31564462051203138502/autopsy &


Tabbed to "Open Case", which led me to Case Gallery in which the case "g5nCmn"
is already preselected since the only one in that host (Host Gallery is grayed
out).

The "details" link gives:

Code: Select all
Description: lost two videos
Created: Tue May 5 11:38:20 2015
Investigators: miroR

EDIT: the number of videos lost see in first post of video, its slightly higher, actually.

The "OK" leads me back, and in the previously seen "Case Gallery", I now follow the link "OK".

Much more options now open, too much to describe.

I choose "Analyze" button link to follow.

This is not a new case. I have already worked on it, and sure I did went the wrong way, as I already explained.

So I'm determined to get back to the right way.

"File Analysis" I will skip, as I tried it (the wrong way). The directory, in which the files that I need to recover, I was wreckless enough to delete, and surely "File Analysis" now can not help (if it does, someone do tell me how!).

The "Keyword Search" or the "File Type" search, which do I choose?

I don't think "File Type" can work yet, because those files to undelete in the deleted directory I think can not be find by sorter (if they can, someone do tell me!).

The failed attempt of mine was due to going for a search in the "File Analysis" section, and the search that went on (and which went duplicating itself, as I somewhat documented) didn't save anything in the output folder, so all the effort was lost.

So opening the "Keyword Search" section:

Code: Select all
Keyword Search of Allocated and Unallocated Space

Enter the keyword string or expression to search for:
_________________________________

[ ] ASCII [ ] Case Insensitive

[ ] Unicode [ ] grep Regular Expression

But what attracts my attention this time, is these two buttons, esp. the second:

"Extract Strings" and "Extract Unallocated".

The third button is "Search" and I'm not using it yet.

I think I will not make a mistake if I go for the "Extract Unallocated" first and foremost, because I hope to find those files in there.

Just on the duplicating of jobs apparently by Autopsy, I see this in bottom of the "Keyword Search" page:

Code: Select all
Previous Searches [ Z1_F0331_Zoom_Lovrić_Škariči�... (0) ] [
Z1_F0331_Zoom_Lovrić_Škariči�... (0) ] [ Z1_F0331_Zoom_Lovrić_Škariči�... (0)
] [ Z1_F0331_Zoom_Lovrić_Škariči�... (0) ] [ Z1_F0331_Zoom_Lovrić_Škariči�...
(0) ] [ Z1_F0331_Zoom_Lovrić_Škariči�... (0) ] [
Z1_F0331_Zoom_Lovrić_Škariči�... (0) ] [ Z1_F0331_Zoom_Lovrić_Škariči�... (0)
]

So much for completeness and to be in the clear and consistent in this topic.

So I tab to and follow the link to "Extract Unallocated".

But, thinking of the duplicating of jobs if it is by Autopsy, I was thinking, maybe I should shut the browser and see if the job wouldn't be duplicated?...

No, I don't think so. I have seen, I have just seen, and it's more work to descibe it... but maybe this will be helpful for others... Wait...

But I'll make a separate post about it, because of clarity, and because in that way readers will more easily follow.

End of this post. Some more about the duplicating of work in the next post.
Last edited by miroRR on Thu May 14, 2015 3:56 am, edited 2 times in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
(currently my most viewed topic in Gentoo Forums)
miroRR
 
Posts: 20
Joined: Sat May 09, 2015 1:21 pm

Re: An Avi Video Recovery with SleuthKit

Postby miroRR » Tue May 12, 2015 3:18 pm

EDIT: Surely, this post is of limited use if this behaviour is due to a bug (limited, as only for the present time, since I'm sure this will be fixed for the future). If you're reading for the data recovery issue, skip this post.

There were more jobs, and I killed them (not showing that, for brevity, but they were all jobs that I grepped out with `ps aux | grep blkls' just like below):
Code: Select all
g5n ~ # kill 31041 31042 31045 31046

This one pair (or whatever to call it) remaining:
Code: Select all
g5n ~ # ps aux | grep blkls
root      4169  0.0  0.0  16800   472 pts/1    S    May07   0:00 sh -c '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
root      4170  3.9  0.0  29908   680 pts/1    S    May07 148:01 /usr/bin/blkls -e -f ext -o 0 -i raw /Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn
root     31473  0.0  0.0  11588  2024 pts/9    S+   21:01   0:00 grep --colour=auto blkls
g5n ~ #

An I decide to kill it:
Code: Select all
g5n ~ # kill 4170 4169
g5n ~ #

And I want to make sure it is now dead, but...
...But:
Code: Select all
g5n ~ # ps aux | grep blkls
root     31479  0.0  0.0  16800  2748 pts/1    S    21:05   0:00 sh -c '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
root     31480 22.2  0.0  29908  3276 pts/1    S    21:05   0:02 /usr/bin/blkls -e -f ext -o 0 -i raw /Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn
root     31484  0.0  0.0  11580  2020 pts/9    S+   21:05   0:00 grep --colour=auto blkls
g5n ~ #

I couldn't believe, but look, repeating the same kill line as before shows it's not those processes!
Code: Select all
g5n ~ # kill 4170 4169
bash: kill: (4170) - No such process
bash: kill: (4169) - No such process
g5n ~ #

These really have just been spawned. I didn't run the date in the terminal, but the time, believe you me, was just the one that the ps piped to grep says these new processes have started, 9 pm of May 9th 2015. With incredulity, I looked it up again:
Code: Select all
g5n ~ # ps aux | grep blkls
root     31479  0.0  0.0  16800  2748 pts/1    S    21:05   0:00 sh -c '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
root     31480 23.5  0.0  29908  3276 pts/1    S    21:05   0:06 /usr/bin/blkls -e -f ext -o 0 -i raw /Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn
root     31487  0.0  0.0  11584  2008 pts/9    S+   21:06   0:00 grep --colour=auto blkls
g5n ~ #

And, I can't prove it, but links -g wasn't running on the "http://g5n:9999/31564462051203138502/autopsy" that Autopsy gave me when I started it.
So:
Code: Select all
g5n ~ # kill 31479 31480
g5n ~ #
g5n ~ # ps aux | grep blkls
root     31489  0.0  0.0  11584  2012 pts/9    R+   21:06   0:00 grep --colour=auto blkls
g5n ~ #

It is finally over.

And since Autopsy wasn't running when that job was unnecessarily somehow spawned, I guess it may eventually not be down to Autopsy, but to some other reason.
Last edited by miroRR on Thu May 14, 2015 4:05 am, edited 1 time in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
(currently my most viewed topic in Gentoo Forums)
miroRR
 
Posts: 20
Joined: Sat May 09, 2015 1:21 pm

Re: An Avi Video Recovery with SleuthKit

Postby miroRR » Tue May 12, 2015 3:20 pm

So I'll go now for the "Extract Unallocated", and, what do I do when it respawns the job unnecessarily? It's not much of unallocated space, because the `df -h' showed only some 13G, so, maybe I should be patient, and in the first place be sure to see clearly what will be going on.

Following the link under "Extract Unallocated" opens a new page.

In it, in the top part:

Code: Select all
Image Details

Name: vgn-Cmn-0-0
Volume Id: vol1
Parent Volume Id: img1
Image File Format: raw
Mounting Point: /1/
File System Type: ext

External Files
ASCII Strings:
Unicode Strings:
Unallocated Fragments:
ASCII Strings of Unallocated:
Unicode Strings of Unallocated: 

-------------

And in the bottom part:

Code: Select all
Extract Strings of Entire Volume
Extracting the ASCII and Unicode strings from
a file system will make keyword searching faster.

Generate MD5? [X]
ASCII: [X]
Unicode: [X]

Extract Strings


Extract Unallocated Fragments
Extracting the unallocated data in a file system
allows more focused keyword searches and data recovery.
(Note: This Does Not Include Slack Space)

Generate MD5? [X]

Extract Unallocated


Apparently, I can choose only one of either "Extract Strings" or "Extract Unallocated".

I suppose I have little unallocated space, and if I'm lucky I may find all those deleted files in there, and it's not going to be so much work, while if I go for the extracting of strings, that would be done on the entire 1.7T which is much more work, and much of it unnecessary, as it looks to me now.

So I go for the "Extract Unallocated". But I deselect "Generate MD5? [ ]" because I have nothing really (I don't think) to compare it against.

The date is:

Code: Select all
miro@gbn ~ $ date --rfc-3339=seconds
2015-05-09 22:21:10+02:00
miro@gbn ~ $


OK. Following the link under "Extract Unallocated" (could have clicked, but I like better selecting it with tabbing to it and pressing the Right Errow key).

Code: Select all
miro@gbn ~ $ date --rfc-3339=seconds
2015-05-09 22:21:47+02:00
miro@gbn ~ $


I took the exact time with that date command because I want to be sure about it when I read the logs.

What it says when it opened a blank page, is only:

"Extracting unallocated data from vgn-Cmn-0-0" in the top, and in the very bottom it is showing some progress like:

"Received 516 B, avg 3 B/s, cur 0 B/s"

and that's all.

This is in the output folder:

Code: Select all
gbn ~ # ls -ltrh /mnt/g5n-C/autopsy/g5nCmn/g5n/output/
total 21G
-rw-r--r-- 1 root root  47 2015-05-06 18:56 vgn-Cmn-0-0-0.srch
-rw-r--r-- 1 root root  47 2015-05-07 23:07 vgn-Cmn-0-0-1.srch
-rw-r--r-- 1 root root  49 2015-05-08 14:12 vgn-Cmn-0-0-2.srch
-rw-r--r-- 1 root root  49 2015-05-09 15:21 vgn-Cmn-0-0-3.srch
-rw-r--r-- 1 root root  47 2015-05-09 15:21 vgn-Cmn-0-0-4.srch
-rw-r--r-- 1 root root  49 2015-05-09 21:00 vgn-Cmn-0-0-5.srch
-rw-r--r-- 1 root root  47 2015-05-09 21:05 vgn-Cmn-0-0-6.srch
-rw-r--r-- 1 root root  49 2015-05-09 21:06 vgn-Cmn-0-0-7.srch
-rw-r--r-- 1 root root 21G 2015-05-09 22:25 vgn-Cmn-0-0-ext.unalloc
gbn ~ #


and the logs folder surely tell a few events. But I'll use a little one-liner to put some of those events into this file, this one-liner:

Code: Select all
export SK=SK_150508_AviRecovery_3.txt ;
for i in $(ls -1 /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/) ;
do ls -l /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/$i >> $SK ;
cat /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/$i >> $SK ;
done ;


(it was a one-liner, but I later broke it in more lines to fit better for the forum post. Sure, after it was cat'ed into this text, I embelished it with the underlines and shortened it as much as I thought best, not to lose too many details for a beginner like me, if people will be reading this, nor leave unnecessary detail; not easy to decide on these)

Code: Select all
-rw-r--r-- 1 root root 591 2015-05-09 21:20 /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/host.log
=======================================================================================

Code: Select all
Tue May  5 11:39:13 2015: Host g5n added to case g5nCmn
Tue May  5 11:39:22 2015: Host g5n opened by miroR
Tue May  5 11:43:53 2015: Sym Linking image /dev/mapper/vgn-Cmn into g5nCmn:g5n
Tue May  5 11:43:53 2015: Image added: image img1 raw  images/vgn-Cmn
Tue May  5 11:43:53 2015: Volume added: part  vol1 img1   0  0    ext  /1/
Tue May  5 11:44:44 2015: Image vol1 opened by miroR
Wed May  6 16:23:41 2015: Host g5n opened by miroR
Wed May  6 16:23:45 2015: Image vol1 opened by miroR
Sat May  9 21:17:49 2015: Host g5n opened by miroR
Sat May  9 21:20:08 2015: Image vol1 opened by miroR

---

Code: Select all
-rw-r--r-- 1 root root 11300 2015-05-09 22:21 /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.exec.log
===============================================================================================

Code: Select all
Tue May  5 11:43:24 2015: '/usr/bin/img_stat' -t "/dev/mapper/vgn-Cmn"
Tue May  5 11:43:24 2015: '/usr/bin/fsstat' -t -i raw "/dev/mapper/vgn-Cmn"
Tue May  5 11:43:53 2015: '/usr/bin/img_stat' -t "/dev/mapper/vgn-Cmn"
Tue May  5 11:43:53 2015: '/usr/bin/fsstat' -o 0 -i raw -f ext "/dev/mapper/vgn-Cmn"
Tue May  5 11:43:53 2015: /bin/ln -s '/dev/mapper/vgn-Cmn' '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Tue May  5 11:44:15 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Tue May  5 11:47:04 2015: '/usr/bin/fls' -f ext -la  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 11:48:26 2015: '/usr/bin/fls' -f ext -ldr  -s '0'  -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 11:48:48 2015: '/usr/bin/fls' -f ext -ldr  -s '0'  -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 11:55:47 2015: '/usr/bin/ifind' -f ext -n 'MyVideos/H_All/Oth_1/DEL'  -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
[...]
Tue May  5 12:49:06 2015: '/usr/bin/fls' -f ext -lpr  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 12:49:20 2015: '/usr/bin/fls' -f ext -lpr  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 12:49:29 2015: '/usr/bin/fls' -f ext -lpr  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Tue May  5 12:53:57 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Tue May  5 12:53:57 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
[...]
Thu May  7 07:09:30 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Thu May  7 07:09:31 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
Thu May  7 07:19:31 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Thu May  7 07:19:32 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
Thu May  7 23:07:33 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
Sat May  9 15:21:19 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
Sat May  9 15:21:20 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
Sat May  9 21:05:40 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'Z1_F0331_Zoom_Lovrić_Škaričić\.avi'
Sat May  9 21:20:27 2015: '/usr/bin/fsstat' -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Sat May  9 21:21:48 2015: '/usr/bin/fls' -f ext -la  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Sat May  9 22:10:11 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Sat May  9 22:21:57 2015: '/usr/bin/blkls' -f ext  -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' > '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext.unalloc'

---

Code: Select all
-rw-r--r-- 1 root root 5066 2015-05-09 22:21 /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.log
=========================================================================================

Code: Select all
Tue May  5 11:39:22 2015: Host g5n opened
Tue May  5 11:44:44 2015: vol1: volume opened
Tue May  5 11:47:04 2015: vgn-Cmn-0-0: Directory listing of /1/ (2)
Tue May  5 11:48:26 2015: vgn-Cmn-0-0: Listing all deleted files
Tue May  5 11:48:48 2015: vgn-Cmn-0-0: Listing all deleted files
Tue May  5 11:55:47 2015: vol1: Finding meta data address for MyVideos/H_All/Oth_1/DEL
Tue May  5 11:55:48 2015: vgn-Cmn-0-0: Directory listing of /1/MyVideos/H_All/Oth_1/DEL/ (24797188)
[...]
Tue May  5 13:13:57 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi
Wed May  6 16:23:41 2015: Host g5n opened
Wed May  6 16:23:45 2015: vol1: volume opened
Wed May  6 16:23:51 2015: vgn-Cmn-0-0: Directory listing of /1/ (2)
[...]
Thu May  7 07:19:31 2015: vgn-Cmn-0-0: ASCII, Unicode, search for Z1_F0331_Zoom_Lovrić_Škaričić\.avi
Sat May  9 21:17:49 2015: Host g5n opened
Sat May  9 21:20:08 2015: vol1: volume opened
Sat May  9 21:20:27 2015: vgn-Cmn-0-0: Displaying file system details
Sat May  9 21:21:48 2015: vgn-Cmn-0-0: Directory listing of /1/ (2)
Sat May  9 22:21:57 2015: vol1: Saving unallocated data to output/vgn-Cmn-0-0-ext.unalloc

---

Yeah, the output directory already shows:
Code: Select all
gbn ~ # ls -l /mnt/g5n-C/autopsy/g5nCmn/g5n/output/
total 110360544
-rw-r--r-- 1 root root          47 2015-05-06 18:56 vgn-Cmn-0-0-0.srch
-rw-r--r-- 1 root root          47 2015-05-07 23:07 vgn-Cmn-0-0-1.srch
-rw-r--r-- 1 root root          49 2015-05-08 14:12 vgn-Cmn-0-0-2.srch
-rw-r--r-- 1 root root          49 2015-05-09 15:21 vgn-Cmn-0-0-3.srch
-rw-r--r-- 1 root root          47 2015-05-09 15:21 vgn-Cmn-0-0-4.srch
-rw-r--r-- 1 root root          49 2015-05-09 21:00 vgn-Cmn-0-0-5.srch
-rw-r--r-- 1 root root          47 2015-05-09 21:05 vgn-Cmn-0-0-6.srch
-rw-r--r-- 1 root root          49 2015-05-09 21:06 vgn-Cmn-0-0-7.srch
-rw-r--r-- 1 root root 28054294528 2015-05-09 22:43 vgn-Cmn-0-0-ext-1.unalloc
-rw-r--r-- 1 root root 84954845184 2015-05-09 22:43 vgn-Cmn-0-0-ext.unalloc
gbn ~ #

and surely it will reflect in the miroR.log and miroR.exec.log.

Right, now, already a little later, they both have another line added:
Code: Select all
Sat May  9 22:31:58 2015: vol1: Saving unallocated data to output/vgn-Cmn-0-0-ext-1.unalloc

and:
Code: Select all
Sat May  9 22:31:58 2015: '/usr/bin/blkls' -f ext  -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' > '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-1.unalloc'

respectively. And surely, the `top' command to which I gave a terminal of its own, shows two rows of blkls command at 20-30 %CPU.

[...]

A little later (see the dates), the output folder has three unalloc files:

Code: Select all
-rw-r--r-- 1 root root  77986000896 2015-05-09 23:04 vgn-Cmn-0-0-ext-1.unalloc
-rw-r--r-- 1 root root  27782656000 2015-05-09 23:04 vgn-Cmn-0-0-ext-2.unalloc
-rw-r--r-- 1 root root 102791860224 2015-05-09 22:51 vgn-Cmn-0-0-ext.unalloc

The one in bottom is finished, so it's not so much to wait, and I'm still new to Sleuthkit, I'm not absolutely certain that I wouldn't break something it I killed the other two unalloc being dumped, so I'll wait.

Surely, in the end, it looked like this:

Code: Select all
-rw-r--r-- 1 root root 102791860224 2015-05-09 23:14 vgn-Cmn-0-0-ext-1.unalloc
-rw-r--r-- 1 root root 102791860224 2015-05-09 23:24 vgn-Cmn-0-0-ext-2.unalloc
-rw-r--r-- 1 root root 102791860224 2015-05-09 22:51 vgn-Cmn-0-0-ext.unalloc


And there was a timeout "error" similar to the one that I already described:

( this same topic you're reading )
http://forum.sleuthkit.org/viewtopic.ph ... 441&#p2621
( near bottom )

On that error I hit the "Cancel" in it, and moved back in the browser.

The previous screen from which I started the "Extract Unallocated" showed, the screen with the choice to "Extract Strings" and "Extract Unallocated", from which I chose the latter.

But that screen also has two more button in bottom. They are "Close" and "FileSystem". Don't know which to choose, but I'll guess I should try "FileSystem".

It shows

Code: Select all
General File System Details
-------------------------
FILE SYSTEM INFORMATION
File System Type: Ext4
Volume Name: Volume ID:
621656f7bd1ec7806941a2a26e05684e

Last Written at: 2015-04-01 11:59:42 (CEST)
Last Checked at: 2014-03-12 11:44:37 (CET)

Last Mounted at: 2015-04-01 11:59:42 (CEST)
Unmounted properly
Last mounted on: /Cmn

Source OS: Linux
Dynamic Structure
Compat Features: Journal, Ext Attributes, Resize Inode, Dir Index InCompat Features: Filetype, Needs Recovery, Extents, Flexible Block Groups, Read Only Compat Features: Sparse Super, Large File, Huge File, Extra
Inode Size

Journal ID: 00
Journal Inode: 8
-------------------------

along with just two more smallish paragraphs:
Code: Select all
METADATA INFORMATION

Inode Range: 1 - 110059521
Root Directory: 2
Free Inodes: 110021883
Inode Size: 256
-------------------------
CONTENT INFORMATION
Block Groups Per Flex Group: 16
Block Range: 0 - 440235007
Block Size: 4096
Free Blocks: 258718324
-------------------------


on top, and then a huge, huge list starts:

Code: Select all
BLOCK GROUP INFORMATION
Number of Block Groups: 13435
Inodes per group: 8192
Blocks per group: 32768

Group: 0:
Block Group Flags: [INODE_ZEROED, ..]
Inode Range: 1 - 8192
Block Range: 0 - 32767
Layout:
Super Block: 0 - 0
Group Descriptor Table: 1 - 105
Group Descriptor Growth Blocks: 106 - 1024
Data bitmap: 1025 - 1025
Inode bitmap: 1041 - 1041
Inode Table: 1057 - 1568
Data Blocks: 9249 - 32767
Free Inodes: 8154 (99%)
Free Blocks: 19692 (60%)
Total Directories: 1
Stored Checksum: 0x5F2A

Stored Checksum: 0x5F2A
Group: 1:
Block Group Flags: [INODE_UNINIT, INODE_ZEROED, ..]
Inode Range: 8193 - 16384
Block Range: 32768 - 65535
Layout:
Super Block: 32768 - 32768
Group Descriptor Table: 32769 - 32873
Group Descriptor Growth Blocks: 32874 - 33792
Data bitmap: 1026 - 1026
Inode bitmap: 1042 - 1042
Inode Table: 1569 - 2080
Data Blocks: 33793 - 65535
Free Inodes: 8192 (100%)
Free Blocks: 1097 (3%)
Total Directories: 0
Stored Checksum: 0xB0C6


and here I cut out some 13431 groups, and give just the very last group:

Code: Select all
Group: 13434:
Block Group Flags: [INODE_UNINIT, INODE_ZEROED, ..]
Inode Range: 110051329 - 110059520
Block Range: 440205312 - 440235007
Layout:
Data bitmap: 439877642 - 439877642
Inode bitmap: 439877658 - 439877658
Inode Table: 439882784 - 439883295
Data Blocks: 440205312 - 440235007
Free Inodes: 8192 (100%)
Free Blocks: 1024 (3%)
Total Directories: 0
Stored Checksum: 0x2070


That gives me a reference if I will need it later. I guess I can find that information any time under "Image Details", or?

That screen also gave me back the menu at the top, which I didn't list before. Well I can now:

"File Analysis", "Keyword Search", "File Type", "Image Details", "Meta Data", "Data Unit", "Help" and "Close".

I think I'll tab into "Keyword Search" again.

I did. And I think I should have, OK, showed a similar screen as before, but with the option of "Load Unallocated", which I don't have as option now. So I can't do nothing with this.

I have gone to browse all the titles of the menu that I just listed above (well, all except "Help" and "Close" of course --I browse the "Help" in a separate instance of the Links browser), but only one of all them offers me to "Load Unallocated", and it's the "Data Unit".

So I stay at "Data Unit" and I "Load Unallocated".

But it's still kind of useless for what I had in mind.

And in the next post I'll try and explain what I thought I would do next, and why.
Last edited by miroRR on Thu May 14, 2015 4:25 am, edited 1 time in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
(currently my most viewed topic in Gentoo Forums)
miroRR
 
Posts: 20
Joined: Sat May 09, 2015 1:21 pm

Re: An Avi Video Recovery with SleuthKit

Postby miroRR » Tue May 12, 2015 3:26 pm

I have managed to figure out a little of the hexdump progam/command, and I looked into the kind of files that I need to undelete.

I ran this one-liner on a few files like those. It's avi files gotten with mencoder on an old Hauppauge TV-card, on composite input.

Code: Select all
$ for i in $(ls -1 Compo_F050*|grep -v tail|grep -v head |sed 's/\.avi//') ; \
do ls -l $i.avi ; \
cat $i.avi.hex-C.head | grep -A1 '41 56 49 20 4c 49 53 54' ; \
read FAKE ; \
done ;

And this is what it gets me:
Code: Select all
-rw-r--r-- 1 miro miro 2619101478 2015-05-08 16:05 Compo_F0506_1431.avi
00000000  52 49 46 46 8c d3 ff 3f  41 56 49 20 4c 49 53 54  |RIFF...?AVI LIST|
00000010  36 02 00 00 68 64 72 6c  61 76 69 68 38 00 00 00  |6...hdrlavih8...|

-rw-r--r-- 1 miro miro 742218864 2015-05-08 19:26 Compo_F0507_1901.avi
00000000  52 49 46 46 68 5c 3d 2c  41 56 49 20 4c 49 53 54  |RIFFh\=,AVI LIST|
00000010  7e 01 00 00 68 64 72 6c  61 76 69 68 38 00 00 00  |~...hdrlavih8...|

-rw-r--r-- 1 miro miro 1276389040 2015-05-08 21:02 Compo_F0508_2000.avi
00000000  52 49 46 46 e2 d5 ff 3f  41 56 49 20 4c 49 53 54  |RIFF...?AVI LIST|
00000010  16 02 00 00 68 64 72 6c  61 76 69 68 38 00 00 00  |....hdrlavih8...|

-rw-r--r-- 1 miro miro 154334 2015-05-08 21:28 Compo_F0508_2128.avi
00000000  52 49 46 46 d6 5a 02 00  41 56 49 20 4c 49 53 54  |RIFF.Z..AVI LIST|
00000010  7e 01 00 00 68 64 72 6c  61 76 69 68 38 00 00 00  |~...hdrlavih8...|

$

The output clearly shows a pattern. and that every avi file made like I do it (with mencoder) has those strings. So I thought I'd just search for simply `AVI LIST' and I would find the beginning of each of the deleted avi files, and somehow find the ones that I want to undelete from among them.

But I can't search for strings in the "Data Unit" Mode section.

Going way back with the <Left> arrow (corresponding to "Back" button in usual big browsers.

But since reopening the "Keyword Search" still didn't offer me the "Load Unallocated" I decide to choose "Close" from the menu, and see if that gets me anywhere better.

Back in the "Case Gallery" and again following "Analyze".

Nope. doesn't offer "Load Unallocated".

Back and choosing to "Close Host".

And "Close Case".

And reopening it.

Whoah! I finally got it. In the "Data Unit" I followed "Load Unallocated", and in what opens I can now choose from the menu only "Keyword Search" and "Data Unit", apart from "Help" and "Close", because the other options are grayed out.

So I choose the "Keyword Search".

It looks like this:

Code: Select all
Keyword Search of Unallocated Space

Enter the keyword string or
expression to search for:
_________________________

[X ] ASCII [X] Unicode
[ ] Case Insensitive [ ] grep Regular Expression


And there are buttons: "Load Original", "Extract Strings" and "Search", and a note, and predefined searches in bottom.

I entered in the form "AVI LIST" (without quotes and that is just one blank between the two simple words in capitals).

I read someplace in Autopsy help that in Unix the ASCII and not Unicode is usually used, but I'm so uncertain, that I'll leave Unicode on as well.
EDIT: I probably should have gone without the Unicode: nothing was found in Unicode, and it spent a lot of CPU cycles and time.

My unallocated is only 100G and that is so much less than the entire partition which is 1.7T, so the search shouldn't take too long.

Code: Select all
miro@gbn ~ $ date --rfc-3339=seconds
2015-05-10 05:06:29+02:00
miro@gbn ~ $


And I just tab to and follow the "Search".

But it appears that something went wrong. It all finished in no time, fraction of a second, immediately, and this shows:

Code: Select all
Searching for ASCII: Done
Saving: Done
0 hits
--------------------
Searching for Unicode: Done
Saving: Done
0 hits
--------------------
New Search
--------------------
AVI LIST was not found
Search Options: 
ASCII
Case Sensitive
--------------------
AVI LIST was not found
Search Options: 
Unicode 
Case Sensitive
--------------------


And the unalloc exists, three of them exist:
Code: Select all
gbn ~ # ls -l /mnt/g5n-C/autopsy/g5nCmn/g5n/output/
total 301148156
-rw-r--r-- 1 root root           47 2015-05-06 18:56 vgn-Cmn-0-0-0.srch
-rw-r--r-- 1 root root           47 2015-05-07 23:07 vgn-Cmn-0-0-1.srch
-rw-r--r-- 1 root root           49 2015-05-08 14:12 vgn-Cmn-0-0-2.srch
-rw-r--r-- 1 root root           49 2015-05-09 15:21 vgn-Cmn-0-0-3.srch
-rw-r--r-- 1 root root           47 2015-05-09 15:21 vgn-Cmn-0-0-4.srch
-rw-r--r-- 1 root root           49 2015-05-09 21:00 vgn-Cmn-0-0-5.srch
-rw-r--r-- 1 root root           47 2015-05-09 21:05 vgn-Cmn-0-0-6.srch
-rw-r--r-- 1 root root           49 2015-05-09 21:06 vgn-Cmn-0-0-7.srch
-rw-r--r-- 1 root root 102791860224 2015-05-09 23:14 vgn-Cmn-0-0-ext-1.unalloc
-rw-r--r-- 1 root root 102791860224 2015-05-09 23:24 vgn-Cmn-0-0-ext-2.unalloc
-rw-r--r-- 1 root root           18 2015-05-10 05:07 vgn-Cmn-0-0-ext-2.unalloc-0.srch
-rw-r--r-- 1 root root           20 2015-05-10 05:07 vgn-Cmn-0-0-ext-2.unalloc-1.srch
-rw-r--r-- 1 root root 102791860224 2015-05-09 22:51 vgn-Cmn-0-0-ext.unalloc
gbn ~ #


Don't know. I can try and search for the other string that appears in all my avi's, the "hdrlavih8". But following "Search" did just the same immediate no hits. Impossible!

I'm looking up the logs. The miroR.exec.log has these lines in bottom:

Code: Select all
Sun May 10 05:07:25 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Sun May 10 05:07:25 2015: '/usr/bin/blkls' -e -f blkls -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' |
'/usr/bin/srch_strings' -a -t d | '/bin/grep'  'AVI LIST' Sun May 10 05:07:25 2015: '/usr/bin/blkls' -e -f blkls -o 0 -i raw
'/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'AVI LIST'
Sun May 10 05:13:43 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Sun May 10 05:13:43 2015: '/usr/bin/blkls' -e -f blkls -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' |
'/usr/bin/srch_strings' -a -t d | '/bin/grep'  'hdrlavih8' Sun May 10 05:13:43 2015: '/usr/bin/blkls' -e -f blkls -o 0 -i raw
'/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'hdrlavih8'
Sun May 10 05:15:19 2015: '/usr/bin/fsstat' -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'


What it wrong?

I'll try and close the browser completely and restart my graphical links.

In the next post.
Last edited by miroRR on Thu May 14, 2015 4:41 am, edited 2 times in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
(currently my most viewed topic in Gentoo Forums)
miroRR
 
Posts: 20
Joined: Sat May 09, 2015 1:21 pm

Re: An Avi Video Recovery with SleuthKit

Postby miroRR » Tue May 12, 2015 3:29 pm

Right. That did it.

Getting into the menu, this time, shows what I needed.

Code: Select all
Keyword Search of Allocated and Unallocated Space
Enter the keyword string or expression to search for:
__________________________________

-----------------------------
[X] ASCII [X] Unicode
[ ] Case Insensitive [ ] grep Regular Expression


And so I enter "AVI LIST" and...

Code: Select all
miro@gbn ~ $ date --rfc-3339=seconds
2015-05-10 05:23:34+02:00
miro@gbn ~ $


tab and follow "Search".

Finally. It says on an otherwise empty page with just the same menu on top: "Searching for ASCII", and then just the progress in the very bottom in the status line, such as:
Code: Select all
"Received 458 B, avg 5 B/s, cur 0 B/s".


And in the other computor, where I have `top' fired up all the time, this shows:

Code: Select all
top - 05:27:19 up 38 days, 17:30,  3 users,  load average: 0.95, 0.48, 0.22
Tasks: 229 total,   3 running, 225 sleeping,   1 stopped,   0 zombie
%Cpu(s): 16.7 us,  3.3 sy,  0.0 ni, 79.8 id,  0.1 wa,  0.0 hi,  0.1 si,  0.0 st
KiB Mem : 16385720 total,  2194860 free,   829944 used, 13360916 buff/cache
KiB Swap: 20971516 total, 20882992 free,    88524 used. 15456620 avail Mem

  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     TIME+ COMMAND                               
27868 root      20   0    6416    792    708 R  99.7  0.0   3:01.43 srch_strings                         
27867 root      20   0   29908   3300   2920 S  19.2  0.0   0:32.89 blkls                                 
27869 root      20   0   11584   2016   1892 S   4.6  0.0   0:14.10 grep                                 
12433 root      20   0  176116  18360   4060 S   2.6  0.1  17:04.24 X                                     
10091 root      20   0   25088    772    128 R   0.7  0.0  38:03.88 top             


-------
But after a few hours (I took a short nap), I realized that I was doing the wrong search... I forgot to load the unallocated! Even the title of the search said so, it said:

"Keyword Search of Allocated and Unallocated Space"

(which I found in my notes and is retained in the published post -- the previous to this one) as I cared to paste what I was doing. So I killed those jobs, and had to restart the browser a few times, as after loading the unallocated space, it would perform those immediately finished searches that found nothing for some reason.

And in experimenting how to start the right search, I have just made a few tries, but I couldn't go for exactly what I wanted, but rather, and it will come to the same result in slightly different way, [but rather] what these listings and logs will tell you.

In the first place, here's the failed and the duplicated current searches:

Code: Select all
gbn ~ # ls -ltr /mnt/g5n-C/autopsy/g5nCmn/g5n/output/ | tail -9
-rw-r--r-- 1 root root           18 2015-05-10 08:48 vgn-Cmn-0-0-ext-2.unalloc-4.srch
-rw-r--r-- 1 root root           20 2015-05-10 08:48 vgn-Cmn-0-0-ext-2.unalloc-5.srch
-rw-r--r-- 1 root root           18 2015-05-10 08:49 vgn-Cmn-0-0-ext-2.unalloc-6.srch
-rw-r--r-- 1 root root           20 2015-05-10 08:49 vgn-Cmn-0-0-ext-2.unalloc-7.srch
-rw-r--r-- 1 root root           18 2015-05-10 08:51 vgn-Cmn-0-0-ext-2.unalloc-8.srch
-rw-r--r-- 1 root root           20 2015-05-10 08:51 vgn-Cmn-0-0-ext-2.unalloc-9.srch
-rw-r--r-- 1 root root   7626432512 2015-05-10 09:22 vgn-Cmn-0-0-ext-2.unalloc-blkls.asc
-rw-r--r-- 1 root root    813826048 2015-05-10 09:22 vgn-Cmn-0-0-ext-2.unalloc-blkls-2.asc
-rw-r--r-- 1 root root   3439091712 2015-05-10 09:22 vgn-Cmn-0-0-ext-2.unalloc-blkls-1.asc
gbn ~ #

The short ones are the failed, and the three ones are the duplicated.

And to those correspond these lines:

Code: Select all
gbn ~ # cat /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.log | tail -12
Sun May 10 08:48:32 2015: vgn-Cmn-0-0-ext-2.unalloc: ASCII, Unicode, search for AVI LIST
Sun May 10 08:49:07 2015: Host g5n opened
Sun May 10 08:49:10 2015: vol1: volume opened
Sun May 10 08:49:34 2015: vgn-Cmn-0-0-ext-2.unalloc: ASCII, Unicode, search for AVI LIST
Sun May 10 08:49:56 2015: vgn-Cmn-0-0: Directory listing of /1/ (2)
Sun May 10 08:51:14 2015: Host g5n opened
Sun May 10 08:51:25 2015: vol1: volume opened
Sun May 10 08:51:26 2015: vgn-Cmn-0-0: Directory listing of /1/ (2)
Sun May 10 08:51:57 2015: vgn-Cmn-0-0-ext-2.unalloc: ASCII, Unicode, search for AVI LIST
Sun May 10 08:52:19 2015: vgn-Cmn-0-0-ext-2.unalloc: Saving ASCII strings to output/vgn-Cmn-0-0-ext-2.unalloc-blkls.asc
Sun May 10 09:02:19 2015: vgn-Cmn-0-0-ext-2.unalloc: Saving ASCII strings to output/vgn-Cmn-0-0-ext-2.unalloc-blkls-1.asc
Sun May 10 09:16:00 2015: vgn-Cmn-0-0-ext-2.unalloc: Saving ASCII strings to output/vgn-Cmn-0-0-ext-2.unalloc-blkls-2.asc
gbn ~ #


and also these:

Code: Select all
gbn ~ # cat /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.exec.log | tail -18
Sun May 10 08:47:20 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'AVI LIST'
Sun May 10 08:47:20 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'AVI LIST'
Sun May 10 08:47:20 2015: '/usr/bin/blkls' -e -f ext -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'AVI LIST'
Sun May 10 08:48:32 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Sun May 10 08:48:32 2015: '/usr/bin/blkls' -e -f blkls -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'AVI LIST'
Sun May 10 08:48:32 2015: '/usr/bin/blkls' -e -f blkls -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'AVI LIST'
Sun May 10 08:49:34 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Sun May 10 08:49:34 2015: '/usr/bin/blkls' -e -f blkls -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'AVI LIST'
Sun May 10 08:49:34 2015: '/usr/bin/blkls' -e -f blkls -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'AVI LIST'
Sun May 10 08:49:56 2015: '/usr/bin/fls' -f ext -la  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Sun May 10 08:51:26 2015: '/usr/bin/fls' -f ext -la  -s '0' -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn' 2
Sun May 10 08:51:57 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Sun May 10 08:51:57 2015: '/usr/bin/blkls' -e -f blkls -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' | '/usr/bin/srch_strings' -a -t d | '/bin/grep'  'AVI LIST'
Sun May 10 08:51:57 2015: '/usr/bin/blkls' -e -f blkls -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' | '/usr/bin/srch_strings' -a -t d -e l | '/bin/grep'  'AVI LIST'
Sun May 10 08:52:04 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Sun May 10 08:52:19 2015: '/usr/bin/srch_strings' -a -t d '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' > '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc-blkls.asc'
Sun May 10 09:02:19 2015: '/usr/bin/srch_strings' -a -t d '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' > '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc-blkls-1.asc'
Sun May 10 09:16:00 2015: '/usr/bin/srch_strings' -a -t d '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' > '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc-blkls-2.asc'
gbn ~ #


[...]

The ASCII searches have all just ended. Three equal size files in the output:

Code: Select all
gbn ~ # ls -ltr /mnt/g5n-C/autopsy/g5nCmn/g5n/output/ | tail -4
-rw-r--r-- 1 root root  22340380170 2015-05-10 11:17 vgn-Cmn-0-0-ext-2.unalloc-blkls.asc
-rw-r--r-- 1 root root  22340380170 2015-05-10 11:39 vgn-Cmn-0-0-ext-2.unalloc-blkls-1.asc
-rw-r--r-- 1 root root  22340380170 2015-05-10 11:45 vgn-Cmn-0-0-ext-2.unalloc-blkls-2.asc
-rw-r--r-- 1 root root         4096 2015-05-10 11:47 vgn-Cmn-0-0-ext-2.unalloc-blkls.uni
gbn ~ #


One unicode search only has finished, IIUC. Two more going on. It's an ext4, and I should probably be better off killing the unicode searches jobs, but I'm uncertain, and another hour or not much more is irrelevent in all the time needed for a recovery like this.

I'm not sure, but I think it's best to just wait for all the searches to finish.

Nope, only the ASCII searches are done:
Code: Select all
-rw-r--r-- 1 root root       913408 2015-05-10 12:09 vgn-Cmn-0-0-ext-2.unalloc-blkls.uni


Nope, it's worse than that. In the next post.
Last edited by miroRR on Thu May 14, 2015 4:53 am, edited 1 time in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
(currently my most viewed topic in Gentoo Forums)
miroRR
 
Posts: 20
Joined: Sat May 09, 2015 1:21 pm

Re: An Avi Video Recovery with SleuthKit

Postby miroRR » Tue May 12, 2015 3:31 pm

EDIT: Another buggish behavior here, IIUC. Probably part of the same misbehavior as the duplicated keyword serches, but only [I]f [I] [U]nderstand [C]orrectly.

See other notes strewn accross the topic, which I tried to make stand out in color blue like this one is.

Code: Select all
# ps aux | grep srch_strings
root     28508  0.0  0.0  16800   336 pts/1    S    11:46   0:00 sh -c '/usr/bin/srch_strings' -a -t d -e l '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' > '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc-blkls.uni'
root     28509  0.0  0.0  16804   464 pts/1    S    11:46   0:00 sh -c '/usr/bin/srch_strings' -a -t d -e l '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' > '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc-blkls.uni'
root     28510 78.9  0.0   6416    84 pts/1    R    11:46  32:37 /usr/bin/srch_strings -a -t d -e l /Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc
root     28511 77.0  0.0   6420    88 pts/1    D    11:46  31:50 /usr/bin/srch_strings -a -t d -e l /Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc
root     28567  0.0  0.0  11584  1968 pts/10   S+   12:27   0:00 grep --colour=auto srch_strings


As I think this says, jobs 28508 and 28509 both cram the unicode strings into the same file:
Code: Select all
/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc-blkls.uni

and while that's not the right thing to be happening, I'm afraid I can't help it, other than wait for both the jobs to finish.

I think it'll be the same output as if only the second job was on. I think I had instances where I had two text files grown by feeding in from same kind of jobs, and I think that the latter job's output is the only one that remains. But we'll see.

Now there was the timeout which I described previously [

( this same topic you're reading )
http://forum.sleuthkit.org/viewtopic.ph ... 441&#p2621
( near bottom )

]

I canceled it, and moved back, and closed the already seen previous screen with the "Close" button.

And I am taken to the Case Gallery.

Analyze > Keyword Search, in which I Load Unallocated, and enter the search "AVI LIST" (without quotes).

No use. Again the result is immediate and nothing is found.

Will try going back further... and retrace my steps to here again, so I "Close Host" and then "Close Case" and went to the "Main Menu", and went to "Open Case".

Back to the same "Keyword Search of Unallocated Space", with the same search, and same immediate null results.

Shutting the `links -g' altogether with Alt-F4.

Re-issuing:

Code: Select all
links -g http://g5n:9999/31564462051203138502/autopsy &


and doing exactly the same, but now the same "Keyword Search of Unallocated Space", with the same search for "AVI LIST" has started and is under way.

I think it's doing what I need of it:

Code: Select all
gbn ~ # cat /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/host.log | tail
Sun May 10 08:51:14 2015: Host g5n opened by miroR
Sun May 10 08:51:25 2015: Image vol1 opened by miroR
Sun May 10 11:17:35 2015: Volume added: strings  vol5 vol4   output/vgn-Cmn-0-0-ext-2.unalloc-blkls.asc
Sun May 10 11:39:25 2015: Volume added: strings  vol6 vol4   output/vgn-Cmn-0-0-ext-2.unalloc-blkls-1.asc
Sun May 10 11:45:45 2015: Volume added: strings  vol7 vol4   output/vgn-Cmn-0-0-ext-2.unalloc-blkls-2.asc
Sun May 10 12:47:11 2015: Volume added: unistrings  vol8 vol4    output/vgn-Cmn-0-0-ext-2.unalloc-blkls.uni
Sun May 10 12:51:13 2015: Volume added: unistrings  vol9 vol4    output/vgn-Cmn-0-0-ext-2.unalloc-blkls.uni
Sun May 10 13:18:14 2015: Host g5n opened by miroR
Sun May 10 13:20:51 2015: Host g5n opened by miroR
Sun May 10 13:20:55 2015: Image vol1 opened by miroR


Code: Select all
gbn ~ # cat /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.log | tail
Sun May 10 08:52:19 2015: vgn-Cmn-0-0-ext-2.unalloc: Saving ASCII strings to output/vgn-Cmn-0-0-ext-2.unalloc-blkls.asc
Sun May 10 09:02:19 2015: vgn-Cmn-0-0-ext-2.unalloc: Saving ASCII strings to output/vgn-Cmn-0-0-ext-2.unalloc-blkls-1.asc
Sun May 10 09:16:00 2015: vgn-Cmn-0-0-ext-2.unalloc: Saving ASCII strings to output/vgn-Cmn-0-0-ext-2.unalloc-blkls-2.asc
Sun May 10 11:18:18 2015: vgn-Cmn-0-0-ext-2.unalloc: Saving Unicode strings to output/vgn-Cmn-0-0-ext-2.unalloc-blkls.uni
Sun May 10 11:46:08 2015: vgn-Cmn-0-0-ext-2.unalloc: Saving Unicode strings to output/vgn-Cmn-0-0-ext-2.unalloc-blkls.uni
Sun May 10 11:46:08 2015: vgn-Cmn-0-0-ext-2.unalloc: Saving Unicode strings to output/vgn-Cmn-0-0-ext-2.unalloc-blkls.uni
Sun May 10 13:18:14 2015: Host g5n opened
Sun May 10 13:20:51 2015: Host g5n opened
Sun May 10 13:20:55 2015: vol1: volume opened
Sun May 10 13:21:15 2015: vgn-Cmn-0-0-ext-2.unalloc: ASCII, Unicode, search for AVI LIST


Code: Select all
gbn ~ # cat /mnt/g5n-C/autopsy/g5nCmn/g5n/logs/miroR.exec.log | tail
Sun May 10 11:18:13 2015: '/usr/bin/md5sum' /Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc-blkls.asc
Sun May 10 11:26:40 2015: '/usr/bin/srch_strings' -a -t d -e l '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' > '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc-blkls.uni'
Sun May 10 11:46:03 2015: '/usr/bin/md5sum' /Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc-blkls-1.asc
Sun May 10 11:46:03 2015: '/usr/bin/md5sum' /Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc-blkls-2.asc
Sun May 10 11:46:08 2015: '/usr/bin/srch_strings' -a -t d -e l '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' > '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc-blkls.uni'
Sun May 10 11:46:08 2015: '/usr/bin/srch_strings' -a -t d -e l '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc' > '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc-blkls.uni'
Sun May 10 12:47:11 2015: '/usr/bin/md5sum' /Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc-blkls.uni
Sun May 10 12:51:13 2015: '/usr/bin/md5sum' /Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc-blkls.uni
Sun May 10 13:21:15 2015: '/usr/bin/blkcat' -f ext -s -o 0 -i raw '/Cmn/autopsy/g5nCmn/g5n/images/vgn-Cmn'
Sun May 10 13:21:15 2015: '/bin/grep'  'AVI LIST' '/Cmn/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc-blkls-2.asc'
gbn ~ #


And these are the hits; I'm describing and pasting over what Autopsy shows to me:

Code: Select all
Searching for ASCII: Done
Saving: Done
21 hits- link to results
Searching for Unicode: Done
Saving: Done
0 hits

New Search

21 occurrences of AVI LIST were found
Search Options:
ASCII 
Case Sensitive

-------------------------------------

Unit 8362688 (Hex - Ascii - Original)
1: 8 (AVI LIST~)

Unit 8481440 (Hex - Ascii - Original) 2: 8 (AVI LIST~)

Unit 8512160 (Hex - Ascii - Original) 3: 8 (AVI LIST~)

Unit 9059592 (Hex - Ascii - Original) 4: 8 (AVI LIST~)

Unit 11257501 (Hex - Ascii - Original) 5: 8 (AVI LIST~)

Unit 11269789 (Hex - Ascii - Original) 6: 8 (AVI LIST~)

Unit 11853437 (Hex - Ascii - Original) 7: 8 (AVI LIST~)

Unit 11873917 (Hex - Ascii - Original) 8: 8 (AVI LIST~)

Unit 11894397 (Hex - Ascii - Original) 9: 8 (AVI LIST~)

Unit 11914877 (Hex - Ascii - Original) 10: 8 (AVI LIST~)

Unit 12469631 (Hex - Ascii - Original) 11: 8 (AVI LIST~)

Unit 12566748 (Hex - Ascii - Original) 12: 8 (AVI LIST~)

Unit 12632284 (Hex - Ascii - Original) 13: 8 (AVI LIST~)

Unit 12934223 (Hex - Ascii - Original) 14: 8 (AVI LIST~)

Unit 13076712 (Hex - Ascii - Original) 15: 8 (AVI LIST~)

Unit 13248744 (Hex - Ascii - Original) 16: 8 (AVI LIST~)

Unit 19096265 (Hex - Ascii - Original) 17: 8 (AVI LIST~)

Unit 19099975 (Hex - Ascii - Original) 18: 8 (AVI LIST~)

Unit 19332590 (Hex - Ascii - Original) 19: 8 (AVI LIST2)

Unit 19334555 (Hex - Ascii - Original) 20: 8 (AVI LIST~)

Unit 24152834 (Hex - Ascii - Original) 21: 8 (<*AVI LIST2)

-------------------------------------

AVI LIST was not found
Search Options: 
Unicode 
Case Sensitive


And that is apparently corresponding to this file:

Code: Select all
gbn ~ # cat /mnt/g5n-C/autopsy/g5nCmn/g5n/output/vgn-Cmn-0-0-ext-2.unalloc-10.srch
21||AVI LIST|ascii
8362688|8|AVI LIST~
8481440|8|AVI LIST~
8512160|8|AVI LIST~
9059592|8|AVI LIST~
11257501|8|AVI LIST~
11269789|8|AVI LIST~
11853437|8|AVI LIST~
11873917|8|AVI LIST~
11894397|8|AVI LIST~
11914877|8|AVI LIST~
12469631|8|AVI LIST~
12566748|8|AVI LIST~
12632284|8|AVI LIST~
12934223|8|AVI LIST~
13076712|8|AVI LIST~
13248744|8|AVI LIST~
19096265|8|AVI LIST~
19099975|8|AVI LIST~
19332590|8|AVI LIST2
19334555|8|AVI LIST~
24152834|8|<*AVI LIST2
gbn ~ #


Just, the Autopsy gives me also the links to continue the research and hopefully eventually accomplish the recovery.

Under every "Hex", every "Ascii", and every "Original" there is a link underneath.

Every "Hex" indeed, if followed (tabbed to and Right Arrow'ed on, or, simply, but I like it less: clicked on), shows, each one of them, I suppose, and I may check quite a few yet, [shows] lines to the effect of:

Code: Select all
0       52494646 641e0000 41564920 4c495354     RIFF d... AVI  LIST
16      7e010000 6864726c 61766968 38000000     ~... hdrl avih 8...
32      409c0000 00000000 00000000 00090000     @... .... .... ....

which is exactly the beginning of an avi file, made, in my case, with mencoder.

The first stage of my journey is done.
Last edited by miroRR on Thu May 14, 2015 5:08 am, edited 1 time in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
(currently my most viewed topic in Gentoo Forums)
miroRR
 
Posts: 20
Joined: Sat May 09, 2015 1:21 pm

Re: An Avi Video Recovery with SleuthKit

Postby miroRR » Tue May 12, 2015 3:33 pm

I'll take the first hit now.

Code: Select all
Unit 8362688 (Hex - Ascii - Original)
1: 8 (AVI LIST~)


Clicking (or Right-Arrow'ing) on the Hex shows what I searched for, opening it in the bottom right part of the page (or in that frame if those are frames, are they?).

Since all the 21 occurrences looking them up summarily show the same kind of pattern, I'll post parts of what is shown in the bottom right part of the page for this his. I'll post entire beginning and end, and enough of the remaining parts to allow the right conjecture to be made of the parts not shown, such as the string "Mplayer jun k da ta!" simply keeps repeating all the way from where it starts at byte 473 IIUC:

Code: Select all
Hex Contents of Unit 8362688 in vgn-Cmn-0-0-ext-2.unalloc

0       52494646 641e0000 41564920 4c495354     RIFF d... AVI  LIST
16      7e010000 6864726c 61766968 38000000     ~... hdrl avih 8...
32      409c0000 00000000 00000000 00090000     @... .... .... ....
48      00000000 00000000 02000000 00000000     .... .... .... ....
64      00030000 40020000 00000000 00000000     .... @... .... ....
80      00000000 00000000 4c495354 c0000000     .... .... LIST ....
96      7374726c 73747268 38000000 76696473     strl strh 8... vids
112     464d5034 00000000 00000000 00000000     FMP4 .... .... ....
128     01000000 19000000 00000000 00000000     .... .... .... ....
144     00000000 00000000 00000000 00000000     .... .... .... ....
160     00034002 73747266 28000000 28000000     ..@. strf (... (...
176     00030000 40020000 01001800 464d5034     .... @... .... FMP4
192     00401400 00000000 00000000 00000000     .@.. .... .... ....
208     00000000 76707270 44000000 00000000     .... vprp D... ....
224     00000000 19000000 00030000 40020000     .... .... .... @...
240     03000400 00030000 40020000 01000000     .... .... @... ....
256     40020000 00030000 40020000 00030000     @... .... @... ....
272     00000000 00000000 00000000 00000000     .... .... .... ....
288     4c495354 6a000000 7374726c 73747268     LIST j... strl strh
304     38000000 61756473 55000000 00000000     8... auds U... ....
320     00000000 00000000 80040000 80bb0000     .... .... .... ....

[...]

336     02000000 04000000 c0030000 00000000     .... .... .... ....
352     00000000 00000000 00000000 73747266     .... .... .... strf
368     1e000000 55000200 80bb0000 70940000     .... U... .... p...
384     80040000 0c000100 02000000 80040100     .... .... .... ....
400     00004c49 53543000 0000494e 464f4953     ..LI ST0. ..IN FOIS
416     46542300 00004d45 6e636f64 65722053     FT#. ..ME ncod er S
432     564e2d72 33373337 33202847 656e746f     VN-r 3737 3 (G ento
448     6f292d34 2e382e34 00004a55 4e4b2e0e     o)-4 .8.4 ..JU NK..
464     00005b3d 204d506c 61796572 206a756e     ..[=  MPl ayer  jun
480     6b206461 74612120 3d5d5b3d 204d506c     k da ta!  =][=  MPl
496     61796572 206a756e 6b206461 74612120     ayer  jun k da ta!
512     3d5d5b3d 204d506c 61796572 206a756e     =][=  MPl ayer  jun

[...]

3936    6b206461 74612120 3d5d5b3d 204d506c     k da ta!  =][=  MPl
3952    61796572 206a756e 6b206461 74612120     ayer  jun k da ta!
3968    3d5d5b3d 204d506c 61796572 206a756e     =][=  MPl ayer  jun
3984    6b206461 74612120 3d5d5b3d 204d506c     k da ta!  =][=  MPl
4000    61796572 206a756e 6b206461 74612120     ayer  jun k da ta!
4016    3d5d5b3d 204d506c 61796572 206a756e     =][=  MPl ayer  jun
4032    6b206461 74612120 3d5d5b3d 204d506c     k da ta!  =][=  MPl
4048    61796572 206a756e 6b206461 74612120     ayer  jun k da ta!
4064    3d5d5b3d 204d506c 61796572 206a756e     =][=  MPl ayer  jun
4080    6b206461 74612120 3d5d5b3d 204d506c     k da ta!  =][=  MPl


The top right part of the page is where this is shown.

The buttons:
Code: Select all
"Previous" "Next"
"Export Contents" "Add Note"


The text:

Code: Select all
ASCII (display - report) * Hex (display - report) * ASCII Strings (display - report)

File Type: RIFF (little-endian) data, AVI, 768 x 576, 25.00 fps, video: FFMpeg MPEG-4, audio: MPEG-1 Layer 3 (stereo, 48000 Hz)

Unit: 8362688
View Original


The fact that I've found what I wanted is not the end of story yet, at all!

Now, all those (display - report) contain links, every display its own corresponding one, and every report its own corresponding one, on the same Unit 8362688 in the corresponding modality (ASCII, Hex or Strings). And it doesn't look to me those tell anyghing new that I didn't show in the paste of the Unit above.

But where I think I should get closer to accomplishing my recovery, is the link, for the:

Code: Select all
Unit: 8362688


under:

Code: Select all
View Original


I'll follow that link. It searches a little and replaces that "Unit: 8362688 View Original" text with another text that reads like this:

Code: Select all
Fragment: 175069184
Status: Not Allocated
Group: 5342
Find Meta Data Address


And there is now another link in that new just shown text, and it is under "Find Meta Data Address", and it's quite some anxiety for me. Will this give me the inode of this file?

I follow that new link, but, after a few moments of anxious search, the words "Find Meta Data Address" only get replaced with "Hide Meta Data Address" without the meta data address (or inode in case of an ext4 partition).

EDIT: The search however is, with the appearance of those words, still ongoing, and negative only if "Inode not found" eventually appears, which in this and all later instances was the case.

Nothing to see of the inode number for this file. So the file remains nameless, and to get it out of this partition is not to be such and easy adventure.

Let alone that it may not be one of the avi files that I need to recover.

I think I should now open the "Data Unit" section, and try and find the:

Fragment: 175069184

if I understand correctly that at that fragment or data unit (data unit and fragment is the same here, is it?), in the original partition.

I open, from the menu in the top, the "Data Unit", and in it I first "Load Original".

And only then I enter under the

Code: Select all
Fragment Number:
175069184


Nothing more for now do I enter, but just follow "View".

The screen in top right and bottom right is very similar, if not mostly the same (esp. after selecting Hex).

And when selecting display in the parentheses after Hex, I'll check, without bothering the reader...

...I did check it, the only difference btwn the two is:

Code: Select all
1c1
< Hex Contents of Unit 8362688 in vgn-Cmn-0-0-ext-2.unalloc
---
> Hex Contents of Fragment 175069184 in vgn-Cmn-0-0


And, I almost expect, that, in this original partition view, the "Find Meta Data Address" should give me the inode.

Nope. This is showing:

Code: Select all
Fragment: 175069184
Status: Not Allocated
Group: 5342
Hide Meta Data Address
Inode not found


"Inode not found" it says very frankly and openly.

And "Inode not found" was the case for each and every of the 21 hits.

What now?
Last edited by miroRR on Thu May 14, 2015 8:03 am, edited 1 time in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
(currently my most viewed topic in Gentoo Forums)
miroRR
 
Posts: 20
Joined: Sat May 09, 2015 1:21 pm

Re: An Avi Video Recovery with SleuthKit

Postby miroRR » Tue May 12, 2015 3:35 pm

I have read the manual pages for some of the Sleuthkit commands.

And I think this recovery be all be much easier to do if I had not deleted the

( this same topic you're reading, the opening post )
http://forum.sleuthkit.org/viewtopic.ph ... 441&#p2620
(where maybe scroll down a screenful)

../DEL/ directory where the files to undelete were.

But maybe I can learn a little more from the inode of that directory?

(I ran the following command outside Autopsy.)

Code: Select all
# ifind -f ext4 -i raw -n "MyVideos/H_All/Oth_1/DEL/" /dev/mapper/vgn-Cmn 24797188


I'll try and see what entering that inode would give me. Entering it where? In "Meta Data".

Entered it. And got these data:

Code: Select all
Pointed to by file:
/1/MyVideos/H_All/Oth_1/DEL (deleted)

File Type (Recovered):
no read permission
MD5 of recovered content:
d41d8cd98f00b204e9800998ecf8427e -

SHA-1 of recovered content:
da39a3ee5e6b4b0d3255bfef95601890afd80709 -

Details:

inode: 24797188
Not Allocated
Group: 3027
Generation Id: 2792681576
uid / gid: 1000 / 1000
mode: drwxr-xr-x
Flags: Extents,
size: 0
num of links: 0

Inode Times:
Accessed: 2015-05-03 22:02:25.381551482 (CEST)
File Modified: 2015-05-04 00:32:57.239619911 (CEST)
Inode Modified: 2015-05-04 00:32:57.239619911 (CEST)
File Created: 2015-05-03 22:02:25.381551482 (CEST)
Deleted: 2015-05-04 00:32:57 (CEST)

Direct Blocks:

Error reading file: Invalid API argument (tsk_fs_attrlist_get: Null list pointer)
Enter number of Fragments to display: 5 "Force" (because the size is 0)


where "Force" is a button with a link underneath, and the 5 is preset, can be changed to any number.

And "Force" doesn't return any more info in the matter.

So, these data about DEL are nice to know, but there's no where yet to go from there.

-------------

I'll try something else (and without much of a clue, to be honest).

Back from Case Gallery menu, this time I won't go into the Analyze menu, but go to:

"File Activity Timeline" menu, which I have little idea at this time about.

The opening page says:

Code: Select all
File Activity Timelines

Here you can create a timeline of file activity.
This process requires two steps:

1. Create Data File from file system data  ->  2. Create Timeline from the data file

Use the tabs above to start.


---------------
I'll follow that guideline.

Code: Select all
Here we will process the file system images, collect the temporal data, and save the data to a single file.

1. Select one or more of the following images to collect data from:

[X] /1/ vgn-Cmn-0-0 ext

2. Select the data types to gather:

[ ] Allocated Files [X] Unallocated Files

3. Enter name of output file (body): output/body

4. Generate MD5 Value? [ ]

"OK"

where "OK" is a button, and I followed the link underneath to activate the process.

That was quick. A few seconds delay and the next screen shows:

Code: Select all
Running fls -rd -m on vol1

Body file saved to /Cmn/autopsy/g5nCmn/g5n/output/body

Entry added to host config file

The next step is to sort the data into a timeline.

"OK"


After "OK", the next screen shows:

Code: Select all
Now we will sort the data and save it to a timeline. 1.

Select the data input file (body):

[ ] body

2. Enter the starting date:
None: [ ]
Specify: [ ] [May][1] 2015

3. Enter the ending date:
None: [ ]
Specify: [X] [May] [4] 2015

4. Enter the file name to save as: output/timeline.txt

5. Select the UNIX image that contains the /etc/passwd and /etc/group files:
[None       ]

6. Choose the output format:
[X] Tabulated (normal)
[ ] Comma delimited with hourly summary
[ ] Comma delimited with daily summary

7. Generate MD5 Value? [ ]

"OK"


And that was also superquick:

Code: Select all
Creating Timeline for 2015-05-01..2015-05-04 (Time Zone: )

Timeline saved to /Cmn/autopsy/g5nCmn/g5n/output/timeline.txt

Entry added to host config file

"OK"
(NOTE: It is easier to view the timeline in a text editor than here)


Really, the Autopsy and Sleuthkit get clearer and understandable, only with practice.

However, it is still basically useless, as far as finding those files in this DEL directory (see the opening post of the topic to remember what this recovery is of):
Code: Select all
Sun May 03 2015 22:02:25        0 .a.b d/drwxr-xr-x 1000     1000     24797188 /1/MyVideos/H_All/Oth_1/DEL (deleted)

because none of them is listed. None. There's nothing left in that deleted directory!

So I don't think timeline can be of any use here...

As a sidenote, all this is so consistent: "File Analysis" saw nothing underneath that DEL directory, "Inode not found" was the result for the search of the metadata for all the initial data units (or initial fragments) of the found AVI files, and now the Timeline repeats what the other two quests already confirmed.

There must be a way to go and recover those AVI tiles, as all of them bear: "Not allocated" mark by Autopsy!

What now?
Last edited by miroRR on Wed May 20, 2015 4:07 pm, edited 2 times in total.
Miroslav Rovis
Zagreb, Croatia
http://www.CroatiaFidelis.hr
Uninstalling dbus and *kits (to Unfacilitate Remote Seats)
(currently my most viewed topic in Gentoo Forums)
miroRR
 
Posts: 20
Joined: Sat May 09, 2015 1:21 pm

Next

Return to Autopsy Troubleshooting

Who is online

Users browsing this forum: No registered users and 2 guests