Entries filed under 'DOD Cyber Crime Conference'
EXT3 File Recovery via Indirect Blocks
Recovering complete file images from unallocated space on Linux systems can be a tricky problem. The EXT3 metadata structures-<em>index nodes</em> or <em>inodes</em> for short-are mostly zeroed out when they are deallocated. During this process, all of the inode's block pointers (that would normally be used to access the file data when the file was allocated) are lost. The original file contents will still exist in unallocated data blocks in the file system-at least until those blocks are reused-but there's no "map" to reconstruct those data blocks into the original file.