During a forensic investigation of a compromised Linux server, an investigator needs to recover deleted files from an ext4 filesystem. Which method should the investigator use to maximize recovery of file content, considering the filesystem may have been partially overwritten?
Trap 1: Use 'grep -a' to search the raw disk for file signatures.
'grep -a' can find strings but does not reconstruct files; it will not recover file content effectively.
Trap 2: Use 'scalpel' to perform a deep scan of the filesystem.
Scalpel is a file carver but foremost is more commonly used and referenced in CHFI; both are similar but foremost is the canonical answer.
Trap 3: Use 'extundelete' to recover files from the ext4 filesystem.
extundelete relies on filesystem metadata which may be overwritten; it is less effective when metadata is damaged.
- A
Use 'foremost' to carve files based on file headers and footers.
Foremost is a file carving tool that recovers files by scanning for known headers/footers, making it effective for partially overwritten filesystems.
- B
Use 'grep -a' to search the raw disk for file signatures.
Why wrong: 'grep -a' can find strings but does not reconstruct files; it will not recover file content effectively.
- C
Use 'scalpel' to perform a deep scan of the filesystem.
Why wrong: Scalpel is a file carver but foremost is more commonly used and referenced in CHFI; both are similar but foremost is the canonical answer.
- D
Use 'extundelete' to recover files from the ext4 filesystem.
Why wrong: extundelete relies on filesystem metadata which may be overwritten; it is less effective when metadata is damaged.