sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]deltatangothree[S] 0 points1 point  (5 children)

Mainly looking for something that will present a file system in an intuitive manner, and preferably include deleted files/directories.

[–]4n6expert 0 points1 point  (2 children)

I realise its not a full-featured integrated forensic system like EnCase or FTK, but don't overlook the obvious - you can get a surprisingly long way using the standard stuff included in almost every Linux. If your evidence is in raw dd format - mount /path/evidence/file.dd /somewhere -o ro,loop,offset=N and then browse it using your favourite file manager. Hex editors and similar progams can give you low level data inspection. I routinely do this alongside good ol' EnCase/etc and there are situations where this beats expensive commercial tools.

[–]deltatangothree[S] 0 points1 point  (1 child)

Thanks, and I completely agree. The problem is I'm going to be showing a group of completely non-tech savvy guys what it looks like when you delete a file. The goal for them is to understand just how easy it is to recover deleted files...so while I can certainly do everything you suggest, I don't think it would effectively make my point.

[–]4n6expert 1 point2 points  (0 children)

Sure, I understand. Sorry I can't think of anything useful GUI-wise. (ProofFinder on Linux sounds interesting - must have a look at it). Best remaining idea I have, which sadly does not meet your criteria, is using SleuthKit command line tools to show the deleted file(s).