Don’t confuse with dd_rescue, upon which is based, but which offers far less capabilities.

Also, when using ddrescue, do *not* write the image to an ntfs formatted disk using the ntfs-3g driver, it’ll go as slow as hell, and probably wear out your disk even faster. This is not the fault of ddrescue, just the fact that it seeks in the output file, and writes small amounts at a time

(Imagine trying to get that level of help for say Norton Ghost!)

Let me know if you need any help building with the patch etc … doesn’t sound like it should be too much pain.

Sleuthkit 3.2.0 on Ubuntu 11.04

sudo apt-get install libewf1 libewf-dev zlib1g-dev build-essential libexpat1-dev libfuse2 libfuse-dev fuse-utils gvfs-fuse libncurses5-dev libreadline-dev uuid-dev libssl-dev

Download and extract afflib from http://afflib.org/ and run:
./configure
make
sudo make install

Download and extract Sleuthkit from http://www.sleuthkit.org/sleuthkit/download.php

Download and extract http://www.williballenthin.com/ext4/TSK-Ext4.patch

Apply the patch (sleuthkit-3.2.1 and TSK-Ext4.patch are in the same folder)

cd sleuthkit-3.2.1
patch -p1 < ../TSK-Ext4.patch

After that run:
./configure
make
sudo make install

- – -
Hey Rogério,

A few months ago, I wrote up a set of patches that bring basic Ext4 support to TSK. Specifically, it updates the inode structures (creation timestamps, yay!) and adds support for extents. You (and all others) are welcomed to give it a shot. You can download it here: http://www.williballenthin.com/ext4/TSK-Ext4.patch (MD5: 3ba1d239bdc6048f0aeeba0447315346).

You’ll need to patch TSK version 3.2.1 source, and then build it. However, with this done, the standard metadata and content layer tools worked against my test Ext4 images. I will admit, however, that my testing was not very thorough, so your mileage my vary.

I have submitted the patches to Brian; however, I suspect that since I have not fully implemented all the new features of Ext4 (huge files, journaling changes, …), it has not been included in the most recent update.

Please let me know if you have any questions. I’ll try to provide support as best I can, and as time allows

Willi Ballenthin
- – -

I’ll give it a try and post the results, okay?

In the code above, “/dev/hda1″ is the mounted image you’ve cloned from your damaged partition, isn’t it?

Yes … although that’s altered from what I actually did. I used dd to byte-by-byte copy the disk (/dev/xxx) to an image on my local drive – dd provides some nice options like “noerror” which forces copying even on I/O problems: cf. dd manual page). That way I didn’t risk damaging the disk further by forcing it to spin etc!

And “/mnt/out” is the folder you’ve created to place the data from the image, is that correct?

Yes.

Well the filesystem in the case is ext4. So I put “-i ext4″ to the mix and got this:
“Unsupported image type: ext4″

Mate, I’m really sorry. Sounds like ext4 (which if you’re not aware, is a relatively recent FS) isn’t supported – and probably won’t be for a while. It’s partially for this reason I’m sticking with ext3 for the time being …

Do you know anything else I can do?

Yes. Don’t give up It took me 3 days to get anything off the hard-drive I looked at!

Keep an eye out for new Sleuthkit releases … it’s as always only a matter of time …

Other people also suggeset this:
http://www.cgsecurity.org/wiki/TestDisk

As always, YMMV

Let me know if you have any success, I’d be delighted to know!

- – -

While trying to identify the inodes, I got this:
“Cannot determine file system type”

Well the filesystem in the case is ext4. So I put “-i ext4″ to the mix and got this:
“Unsupported image type: ext4″

A little search finished to broke my heart:
Ext4 is the modern replacement for Ext3, which is beginning to appear as the default install option for many Linux distributions. Currently, the Sleuth Kit does not have proper Ext4 support, but some tasks do work. For example, running ils against a specifc inode will still return expected results, but fs will exhibit inconsistent behavior. This is because the metadata structures have remained consistent with those found in an Ext2/Ext3 fle system, but the data unit layer has changed quite dramatically.