TABLE OF CONTENTS Keith K. Seglem
Of all the tasks involved with computer forensics, and especially in a Unix environment, the recovery and reconstruction of the data involved can seem to be one of the most challenging problems. So much so that it frequently seems insurmountable. Even for a very experienced system administrator, these are not frequently encountered tasks. For the forensic examiner these tasks can be even more problematic because of the unfamiliarity with configuration or details of whatever system they are examining. This can be further complicated by a lack of knowledge by the individuals involved with the system itself.
For example, the data being examined may be a backup created automatically across a network, with scripts written by former administrators. The backup may be meant to be restored by local procedures, not necessarily compatible anywhere else. The original creators of these procedures may have moved on and no longer be available to answer questions. Also, information written on the media to be examined may be incomplete or at times even incorrect, whether by oversight or by design.
The aim of the following sections is to help examiners find a starting point for analysis in the Unix environment. The recovery of critical data can take many forms and is usually approached in many stages, not the least of which is ensuring that the media are physically ready to be worked. [1] Successive stages include imaging the original data, extracting the data from...
