On 6 July 2006, vladas <[EMAIL PROTECTED]> wrote:
[...]
> I was not clear enough in the first place: due to the first 10Mb being
> gone, I do not expect to find any valid fs anymore. What I still hope
> for are individual files from the 3Gb image file that I have. I mean
> e.g. exe's, or dll's, zip's, lha's etc should have their size written
> in them or their data structures, not only fs, as well.
>
> So that e.g. for exe's I would find their "MZ" beginning chars, size
> after them and seek until the end by the size.
[...]
There are normally two copies of FAT. I'm too lazy to check how
large they should be for a 3 GB fs, but I guess you erased both.
Looking for signatures like MZ and PK will get you the first
block in a file. Without FAT however you won't be able to locate
any subsequent blocks. Depending on how fragmented the fs was when
you erased the FAT, there is a tiny chance some of the blocks are
contiguous, but that's just about all you can hope for.
You can try lazarus from Wietse Venema's Coroner Toolkit:
http://www.porcupine.org/forensics/tct.html
However, like I said, I doubt you'll get very far without FAT.
Regards,
Liviu Daia
--
Dr. Liviu Daia http://www.imar.ro/~daia
