From owner-freebsd-fs@FreeBSD.ORG Wed Nov 14 12:38:14 2007 Return-Path: Delivered-To: freebsd-fs@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2984A16A41A for ; Wed, 14 Nov 2007 12:38:14 +0000 (UTC) (envelope-from bv@bilver.wjv.com) Received: from wjv.com (fl-65-40-24-38.sta.embarqhsd.net [65.40.24.38]) by mx1.freebsd.org (Postfix) with ESMTP id CF6EB13C46A for ; Wed, 14 Nov 2007 12:38:13 +0000 (UTC) (envelope-from bv@bilver.wjv.com) Received: from bilver.wjv.com (localhost.wjv.com [127.0.0.1]) by wjv.com (8.14.1/8.13.1) with ESMTP id lAECIs1A015485; Wed, 14 Nov 2007 07:18:54 -0500 (EST) (envelope-from bv@bilver.wjv.com) Received: (from bv@localhost) by bilver.wjv.com (8.14.1/8.13.1/Submit) id lAECImAZ015484; Wed, 14 Nov 2007 07:18:48 -0500 (EST) (envelope-from bv) Date: Wed, 14 Nov 2007 07:18:48 -0500 From: Bill Vermillion To: Fernando Schapachnik Message-ID: <20071114121848.GB15035@wjv.com> References: <20071113174347.GA4288@servidor1.cursosvirtuales.com.ar> <86sl392lk3.fsf@ds4.des.no> <20071114115653.GA83195@servidor1.cursosvirtuales.com.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20071114115653.GA83195@servidor1.cursosvirtuales.com.ar> User-Agent: Mutt/1.4.2.2i Organization: W.J.Vermillion / Orlando - Winter Park ReplyTo: bv@wjv.com Cc: freebsd-fs@freebsd.org, Dag-Erling Sm?rgrav Subject: Re: Undeleting (possible?) X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bv@wjv.com List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Nov 2007 12:38:14 -0000 Fernando Schapachnik, the prominent pundit, on Wed, Nov 14, 2007 at 08:56 while half mumbling, half-witicized: > En un mensaje anterior, Dag-Erling Sm?rgrav escribi?: > > Fernando Schapachnik writes: > > > Now I want to recover xMail (contains mbox files). sleuthkit only > > > finds Mail/xMail with no content. It also doesn't find any of the > > > contained mboxes. > > Try Lazarus instead. > Have any URL or package name? Found lots of references but no > way to actually get it. In /usr/ports/sysutils/tct you will find "The Coroners Toolkit" Lazarus is part of that program. Do NOT confuse it with lazarus in the editors. You need to unmount what you have so you don't lose any more files. Lazarus will go ahead and recover only blocks with data, which makes it nicer than dd which will take everything off the disk including unused blocks. The data will be saved in sets of files which can be viewed in HTML, or read directly with editors. You need some space to put the data ON ANOTHER FILESYSTEM - or on another drive - as you can't put it on the drive you are trying to recover - as you will over-write the data you are trying to get. I don't even recall if it will let you do that. It is not a newbie program. It was written by Wietse Venema and Dan Farmer. The program in the ports is 1.16. So you probably want to go to http://www.porcupine.org/forensics to get 1.18 SO it's not really in the ports anymore - I just checked. Bill -- Bill Vermillion - bv @ wjv . com