#archiveteam-bs 2019-09-02,Mon

↑back Search

Time Nickname Message
00:20 🔗 achip has joined #archiveteam-bs
00:20 🔗 Ryz has joined #archiveteam-bs
00:20 🔗 Somebody2 has joined #archiveteam-bs
00:20 🔗 irc.Prison.NET sets mode: +o Somebody2
00:20 🔗 Fusl__ sets mode: +o Ryz
00:20 🔗 Fusl sets mode: +o Ryz
00:20 🔗 Fusl_ sets mode: +o Ryz
00:20 🔗 svchfoo1 sets mode: +o Ryz
01:19 🔗 BlueMax has joined #archiveteam-bs
03:15 🔗 Quirk8 has quit IRC (END OF LINE)
03:26 🔗 qw3rty119 has joined #archiveteam-bs
03:28 🔗 Quirk8 has joined #archiveteam-bs
03:29 🔗 qw3rty118 has quit IRC (Ping timeout: 612 seconds)
03:33 🔗 Quirk8 has quit IRC (END OF LINE)
03:47 🔗 pew has quit IRC (Quit: WeeChat 1.6)
03:55 🔗 odemgi_ has joined #archiveteam-bs
03:57 🔗 odemgi has quit IRC (Read error: Operation timed out)
04:04 🔗 pew has joined #archiveteam-bs
04:06 🔗 fredgido has quit IRC (Remote host closed the connection)
04:07 🔗 fredgido has joined #archiveteam-bs
04:36 🔗 katocala has quit IRC (Read error: Operation timed out)
05:39 🔗 davie has joined #archiveteam-bs
05:40 🔗 davie I'm terribly sorry to bother you all, but I would like to ask: what's the best program to recover files from a 10TB WD drive originally NTFS and mistakenly formatted as exfat? active@ doesn't work. I'm thinking file carving using windows or solaris
05:40 🔗 davie Also your wiki is very informative and well written.
06:12 🔗 Raccoon I've been using Recuva (https://www.ccleaner.com/recuva) for years, but it's not as common a task that I encounter anymore. I had used WinHex prior.
06:17 🔗 Raccoon I would be surprised if a piece of software didn't exist that could identify filetype headers and footers and piece together data unfragmented sequential data.
06:21 🔗 Raccoon oh, you might want to try TestDisk. I've had a lot of harrowing luck in the past. But you'll need to know a thing or two about disks, partitions, volumes, etc. https://www.cgsecurity.org/wiki/TestDisk
06:34 🔗 davie has quit IRC (Ping timeout: 260 seconds)
06:53 🔗 davie has joined #archiveteam-bs
06:53 🔗 davie weird, booted
08:02 🔗 deevious has joined #archiveteam-bs
08:03 🔗 Raccoon davie: did you lose my response?
10:24 🔗 h3ndr1k has quit IRC (Ping timeout: 745 seconds)
11:14 🔗 luckcolor has joined #archiveteam-bs
11:52 🔗 katocala has joined #archiveteam-bs
11:56 🔗 JAA davie: Whatever you do, make a full block-level copy of the entire drive and only operate on that copy.
11:59 🔗 katocala has quit IRC ()
12:17 🔗 BlueMax has quit IRC (Quit: Leaving)
12:32 🔗 katocala has joined #archiveteam-bs
12:59 🔗 h3ndr1k has joined #archiveteam-bs
14:37 🔗 deevious has quit IRC (Quit: deevious)
14:46 🔗 davie I received no reply Raccoon , I'm sorry.
14:47 🔗 davie JAA I was going to DD the drive, but 10TB is difficult to manage. Hopefully it completes soon.
14:47 🔗 eythian you could split it into say 2TB chunks or whatever's easiest to work with
14:47 🔗 davie That's a great idea thank you
14:47 🔗 eythian you will miss things that span the boundaries (unless you deliberately overlap), so be aware of that.
14:48 🔗 JAA (If you'd like to hang out here more often, I'd suggest you get a proper IRC client instead of using EFnet's crappy webchat thingy.)
15:01 🔗 Raccoon davie: message query sent with 3 lines of chat history
15:03 🔗 Raccoon not sure how reasonable it is to make sector perfect copy of a 10 TB drive :)
15:04 🔗 Raccoon TestDisk seems like the way to go
15:19 🔗 davie Raccoon that's the consideration I was making. Frankly I really need this data, and it's of public interest. That being said I was extremely unprofessional in not using additional tools to verify volume designation for the media, and worse still exfat is a vexatious FS for this use case. Hopefully I can hit the drive with a good carving tool, and find the signatures I need to sort the data.
15:21 🔗 davie If I am successful I will share the signatures after uploading the data. Curiously enough there is some trouble in finding the signature profiles. I purchased every version of UFS Explorer and R-Studio tools, but right now I'm dealing with the dd/FTK aspect of preserving what I can.
15:23 🔗 davie Ideally you would do this using vfs in a flash storage appliance, but that's outside of the budget for a lowly sociologist archive novice
15:24 🔗 davie Also ++ on testdisk
15:24 🔗 eythian I'd also encourage a backup regime :)
15:24 🔗 Raccoon I'd take the time to read thoroughly through the TestDisk documentation. Ie: https://www.cgsecurity.org/wiki/TestDisk and https://www.cgsecurity.org/wiki/TestDisk_Step_By_Step and other google searches like http://www.tipsninja.com/testdisk-recover-lost-deleted-partitions/
15:25 🔗 Raccoon hopefully your Quick Format didn't destroy too much
15:25 🔗 davie this was a one off case, normally I comply with a data hygiene and retention schedule that was written by my attorney for other reasons.
15:26 🔗 Raccoon if you like PDFs, here's a full documentation -- https://www.cgsecurity.org/testdisk.pdf
15:26 🔗 davie Thank you for the links. I'm curious though, does anyone here use EnCase? This is unrelated.
15:27 🔗 davie I'll review the docs, it's been a while since I used testdisk for this type of work. Thank you again for the links
15:28 🔗 Raccoon Never heard of or used EnCase. It seems like a corporate non-gnu non-foss product
15:32 🔗 Raccoon their software page looks like it's been around only a few years, but their company for a couple decades. https://web.archive.org/web/*/guidancesoftware.com/encase-forensic-imager
15:32 🔗 Raccoon The forensics tool I grew up around was WinHex but I don't know what kind of status it holds today
15:37 🔗 davie EnCase is a great tool that has been evaluated extensively by DHS, NJIC, NIST, and others. It's extremely expensive though, and requires HASP dongles for licensing.
15:38 🔗 davie There are many professors for business forensics type of education that have "altered" useful versions for their students. I don't have that access as my education didn't require that type of experience.
15:38 🔗 Raccoon Prolly start with just letting TestDisk perform a read-only diagnosis to see what it can find. It looks like it's very clear about when it writes to the disk
15:40 🔗 davie The reason for using encase is that you can build custom scripts and profiles that find what you need from a raw image. For example, there isn't another tool that can find bitcoin wallets or twitch xml logs from chat by scripting a plugin, to my knowledge.
15:40 🔗 davie Agree RE read only
15:41 🔗 Raccoon you got me curious now, cuz I'm not finding any bitmap images of what exactly a QuickFormat looks like for various filesystems. Think I'm going to fill up a small test partition with 0x55 and then format it with each various FS and create a visual image of the writes that windows makes. maybe even repeat it for each major version of windows from 98 through 10
15:41 🔗 davie Andrew Case sold Guidance Software to the Canadian company OpenText, and frankly, they are booties.
15:41 🔗 Raccoon booties?
15:42 🔗 davie No public access to support documents or files of any sort unless you pay for the 10,000$ annual license to my knowledge
15:42 🔗 Raccoon that looks like the the company that makes EnCase
15:42 🔗 davie they are jerks, really
15:43 🔗 davie Guidance was the original seller and very friendly for academics, maybe 2004 established. Sold in 2018 to a company that is tailored for law firms and feds.
15:44 🔗 Raccoon but really, that's a pretty accurate carry-over of data recovery from the 1980's and 90's. Empty people's and corporate wallets while they're suffering from grief, panic, denial and bargaining
15:45 🔗 davie This is a real shame because I wrote hundreds of enscripts to do "speed forensics" and the new company is just not interested in academia
15:46 🔗 davie Ahh yes indeed Raccoon. Some of the best tools were acquired by now M&A companies to stop competitive use.
15:46 🔗 ndiddy has quit IRC (Remote host closed the connection)
15:46 🔗 Raccoon well, good luck and let us know. i'm curious if you find a nice friendly tool that can identify and shape every filetype on the planet through header-footer
15:47 🔗 davie Even things like photorec aren't what they used to be. R-Studio was purchased by a german company even tho I think they are still using the developers out of Ukraine.
15:47 🔗 davie Will do Raccoon
15:47 🔗 Raccoon i understand various hex editors have such features to nicely label what each byte offset is and what it means
15:47 🔗 ndiddy has joined #archiveteam-bs
15:48 🔗 Raccoon since it was a 10 TB drive, your cluster size is going to be rather large, which means that your data's going to be fairly more sequential than with a tiny allocation size
15:49 🔗 Raccoon so hopefully minimal fragmentation
15:49 🔗 Raccoon hopefully not a very long operation period with lots of deletes and rewrittes
15:54 🔗 davie Tangential note, I have been considering getting with Scott and doing a massive group buy. Would be great if we could all have deepspar, x-ways, pc-3000, write blockers, tableau bridges, and the software to use those tools for 2,000$ instead of 50k. It would require a substantial group size, like maybe 6,000 people.
15:57 🔗 Raccoon was x-ways (winhex) bought?
15:57 🔗 davie Oh and I forgot this earlier but using CDNs for storage of public software like AKAMI should be criminal in my opinion. There are thousands of broken links to old software on google top ten pages (100 per) because of the issues with transitioning from CDN for support files to local hosting behind a portal
16:00 🔗 DopefishJ has joined #archiveteam-bs
16:04 🔗 DFJustin has quit IRC (Ping timeout: 745 seconds)
16:06 🔗 Raccoon index them and archive :)
16:43 🔗 SakoeraTy has joined #archiveteam-bs
16:47 🔗 Igloo SakoeraTy
16:47 🔗 Igloo Lets talk about it here
16:47 🔗 SakoeraTy Okay
16:48 🔗 SakoeraTy https://www.aniway.nl/forum/viewtopic.php?f=22&t=32961
16:49 🔗 JAA Heh
16:49 🔗 JAA If I'm reading that correctly, the rest of the site is not affected, right?
16:49 🔗 SakoeraTy It is too, but not this soon afaik
16:50 🔗 JAA I see.
16:50 🔗 SakoeraTy The magazine will get a rehaul, part of that will be a new website - this was already announced in the magazine's last issue
16:50 🔗 SakoeraTy Now suddenly they announce the whole forums will be shut down :/
16:50 🔗 Igloo 32,000 topics is quite small.
16:50 🔗 SakoeraTy There is a new Discord to replace the forums apparently
16:51 🔗 SakoeraTy It used to be bigger
16:51 🔗 JAA Where do you see 32k topics?
16:51 🔗 Igloo Oh wait that's threads
16:51 🔗 JAA 399k posts in 11.7k threads.
16:51 🔗 Igloo Sorry been a long day.
16:51 🔗 SakoeraTy They had subforums for Dutch language anime/manga publishers
16:51 🔗 SakoeraTy Which they closed down a few years ago
16:51 🔗 Igloo I presumed the &t= was threads
16:51 🔗 JAA It is.
16:51 🔗 SakoeraTy As part of a forum cleanup
16:51 🔗 JAA But that's the thread ID, including all deleted threads and ones in private subforums etc.
16:52 🔗 SakoeraTy Despite all the interesting talk there now being lost about Dutch manga translations, DVD subtitles, etc.
16:52 🔗 JAA Let's do two AB jobs, one for the forums and one for the site.
16:52 🔗 asie I'm so glad Polish manga publishers still have at least one forum, and it's decently active.
16:53 🔗 SakoeraTy Dutch anime DVD subs tended to vary a lot in quality, many badly translated from French to Dutch by non-native speakers of Dutch
16:53 🔗 SakoeraTy Those forums were one place to check (incomplete) information on the quality of some of those
16:53 🔗 asie They used to vary here too, back when we had anime publishers.
16:53 🔗 SakoeraTy Also localisation decisions made by the translators were shared there
17:02 🔗 SakoeraTy I just noticed I said Friday, but I meant Thursday
17:16 🔗 ShellyRol has quit IRC (Read error: Operation timed out)
17:16 🔗 ShellyRol has joined #archiveteam-bs
18:01 🔗 C4K3 has joined #archiveteam-bs
19:11 🔗 ShellyRol has quit IRC (Ping timeout: 496 seconds)
19:12 🔗 ShellyRol has joined #archiveteam-bs
19:13 🔗 HashbangI has joined #archiveteam-bs
19:50 🔗 DopefishJ is now known as DFJustin
19:52 🔗 DFJustin has quit IRC (Remote host closed the connection)
19:52 🔗 DFJustin has joined #archiveteam-bs
19:52 🔗 killsushi has joined #archiveteam-bs
19:56 🔗 SakoeraTy has quit IRC (Ping timeout: 745 seconds)
21:03 🔗 Quirk8 has joined #archiveteam-bs
21:03 🔗 Stiletto davie: ++ on R-Studio. At least back in the day 2005-2009 when I was my company's "data recovery specialist", it was very useful to find remnants of old filesystems many, many times and was definitely worth the money. Dunno about nowadays tho
21:07 🔗 fredgido has quit IRC (Remote host closed the connection)
21:08 🔗 fredgido has joined #archiveteam-bs
21:11 🔗 JAA RStudio? What does a statistics software interface have to do with data recovery? ;-)
21:14 🔗 Pixi` has quit IRC (Read error: Operation timed out)
21:22 🔗 davie has quit IRC (Ping timeout: 260 seconds)
21:27 🔗 Raccoon JAA: probably to identify data that isn't cryptographically random?
21:31 🔗 Frogging Yeah, distinguishing data from noise
21:45 🔗 Quirk8 has quit IRC (END OF LINE)
21:46 🔗 Raccoon i hear a lot of people shooting video of hurricane dorian, vertically. they're the reason god is punishing us.
21:46 🔗 Raccoon oop, wrong ch
21:47 🔗 Quirk8 has joined #archiveteam-bs
21:50 🔗 Pixi has joined #archiveteam-bs
22:02 🔗 SmileyG has joined #archiveteam-bs
22:04 🔗 tuluu_ has joined #archiveteam-bs
22:06 🔗 Raccoon has quit IRC (Ping timeout: 258 seconds)
22:06 🔗 Smiley has quit IRC (Ping timeout: 258 seconds)
22:06 🔗 tuluu has quit IRC (Ping timeout: 258 seconds)
22:06 🔗 Gfy has quit IRC (Ping timeout: 258 seconds)
22:06 🔗 Laverne has quit IRC (Ping timeout: 258 seconds)
22:06 🔗 luckcolor has quit IRC (Ping timeout: 258 seconds)
22:06 🔗 Laverne has joined #archiveteam-bs
22:06 🔗 luckcolor has joined #archiveteam-bs
22:07 🔗 godane has quit IRC (Leaving.)
22:07 🔗 atbk_ has joined #archiveteam-bs
22:08 🔗 Raccoon has joined #archiveteam-bs
22:10 🔗 Gfy has joined #archiveteam-bs
22:11 🔗 atbk has quit IRC (Ping timeout: 746 seconds)
22:18 🔗 mc2 has quit IRC (Ping timeout: 360 seconds)
22:50 🔗 BlueMax has joined #archiveteam-bs
23:19 🔗 SmileyG has quit IRC (Read error: Operation timed out)
23:22 🔗 Smiley has joined #archiveteam-bs

irclogger-viewer