Recover removed /var/log directory


Status
This thread has been solved! Go to solution…

banderas20

New Member
Apr 23, 2019
20
Ratings
9
3
#1
Hello,

I am investigating a set of raw dumps from a Linux system. When I mount the dumps, I can't seem to find /var/log directory, neither their files.

It seems it has been removed on purpose.

¿Is there any way to recover them?

I am using Autopsy software, and I can't find anything in removed files nor in Carved files...

Thanks in advance!
 

azuleonyx

Member
Experienced Member
Oct 20, 2018
59
Ratings
47
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#4
Well, the issue is: complete disk image or missing empty space. Autospy will show deleted files if it can find them; though, if not, then you'll have to do some different file carving.
 

azuleonyx

Member
Experienced Member
Oct 20, 2018
59
Ratings
47
18
Charlotte, North Carolina Area
cyberfenixtech.blogspot.com
Twitter
https://twitter.com/AzuleOnyx
#6
Those file name probably are in the name of fxxxxxx.txt (or some other extension). I find these to be particle recovered files. You would need to do a keyword search in Autopsy to locate relevant files.
 

banderas20

New Member
Apr 23, 2019
20
Ratings
9
3
#7
Hi!

Yes. Indeed. I digged into carved files directory and found files with the relevant content. Then I extracted the files and was able to recover some data.

Many thanks!
 
Status
This thread has been solved! Go to solution…

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu