Hi Andreas Using "The Coroners Toolkit" on the encrypted device might also help you, but it's a long shot : http://www.porcupine.org/forensics/tct.html You use it for recovering information, generally after remote break-ins, but it could be useful here too. Regards and best wishes, Justin Clift On Friday 22 February 2002 10:41, Emil wrote: > On 21 February 2002, Andreas Schreier <a_schreier@firemail.de> wrote: > > How can I find out which blocks are intact and which are not > > intact? Does the filename and directory of the file I want > > to recover help? Thanks a lot for your help. I had no idea > > how to cope with the situation but you give me some hope! > > If you didn't do any other operation on your partition (as you > said in your post) then ALL the data blocks are intact. > The problem is that you won't be able to tell which is a > used block and which is not; neither can you tell to what > file belonged each of the blocks or the file names and sizes. > The only way to recover that data is to manually examine the content > of each block. Of course you could use "grep" to find specific > strings in your blocks (or other tools). > > If I would be in your place I would run the following script: > (of course after you've provided the right password to losetup) > ---- > #!/bin/sh > > I=0 > while [ 1 ]; do > dd if=/dev/loop5 of=$I.blk bs=1024 count=1 skip=$I 2>&1 | grep -q "1+0" > || break; I=$((I+1)); > done > ---- > This will create a file for each block with the block number as the > file name. If your partition is big is a good idea to complicate > the script and put only a limited number of files per directory. > > Blocks in a file tend to be consecutive so you might be able to recover at > least all your text files (use cat to join the blocks together). The size > of the recovered files will be however multiple of 1k and you'll need to > load them in an editor and cut the garbage from the end. - Linux-crypto: cryptography in and on the Linux system Archive: http://mail.nl.linux.org/linux-crypto/
