26 Aug
2013
26 Aug
'13
20:14
On 8/26/2013 3:27 PM, Greg Freemyer wrote:
So this command now dumps a list of NTFS shadow volumes in a partition:
vshadowinfo -o $((10#$offset * 512)) /dev/sdb
- offset comes from the output of mmls /dev/sdb and some bash manipulation
- mmls comes from sleuthkit (in the main repo)
vshadowinfo is new to factory. (zypper in libvshadow-tools)
Then vshadowmount can be used to create virtual devices corresponding to the VSCs (volume shadow copies). Those in turn can be mounted loopback to access the files inside the VSCs.
That is outstanding! -- bkw -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org