Hello,
I just read the SANS institute paper: http://www.sans.org/reading_room/whitepapers/forensics/advantage-ext3-journaling-file-system-forensic-investigation_2011
In summary, the author recovers a deleted file's blocks through the ext3 journal and with the use of dd, manages to recover the entire file (the iNode of the file to be recovered was previously saved to simplify the proof of concept).
My question is, instead of going through this complicated procedure of tracking blocks, couldn't the author have just done a physical acquisition of the partition in question and run a file carving procedure on it?
What are the differences between these two methods?
Thanks!
↧
