Are you wanting to recover those files? If so, you might want to try using a utility called TCT to recover those lost files. There are some great examples on using TCT if you read through some of the papers on http://project.honeynet.org -----Original Message----- From: Ovanes Manucharyan [mailto:ovanes_mat_private] Sent: Wednesday, June 06, 2001 2:14 AM To: forensicsat_private Subject: INODES: recovering a file in a particular directory Hi, This is with a Solaris 8, on Ultra 5, with UFS. I have a compromised host, which shows a recent /usr/lib/ modification date. I assume that something was added to this directory, however, after a thorough check, I am led to believe that whatever was added was also removed. Would the file being /usr/lib narrow down the number of inodes i have to search through. I seem to remember that in UFS a new file gets added to the same cylinder group(if possible) as the directory is in. Sincerely, Ovanes __________________________________________________ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/
This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 13:00:43 PDT