Manpage of TSKMOUNT

NAME

tskmount - mounting the deleted files filesystem

SYNOPSIS

tskmount [ -h ] [ -f ] [ -d ] [ -e ] [ -q ] [ -v ] [ -o fuseoptions ] filesystem mountpoint

DESCRIPTION

tskmount(8) is the command to mount the deleted files filesystem.

tskmount(8) is part of the TSKmount-Fuse package, a Fuse filesystem written in Perl and based on The Sleuth Kit tools (commands fls(1), icat(1) and ils(1) are required).

OPTIONS

-h, --help: Print a help message.
-f, --full: Show all files in the mounted filesystem (deleted and not deleted ones). Mounting with this option may takes a long time (minutes) and requires some memory during filesystem analysis at initialization.
-d, --deleted: Show only the deleted files. This is the default. Note that this option may show only a part of all the deleted files (see -e, --enhance option).
-e, --enhance: Enhance deleted files search, this option is necessary to show all deleted files on ext2 filesystem, but increase memory usage and time at startup. This is the default if option -f, --full is set.
-q, --quiet: Do not print status messages, at initialization.
-v, --verbose: Print status messages at initialization. "Ready" is printed when filesystem has been computed entirely and is ready to be run. This is the default.
-o fuseoptions, --options=fuseoptions: The argument fuseoptions is a list of comma separated options to pass to fuse (e.g "-o allow_other" to allow access to others).
filesystem: The device (e.g /dev/sda1) or the file (any image filesystem) to mount. It must be readable with user rights.
mountpoint: The mountpoint is an empty directory (e.g /tmp/fuse/) where to mount the filesystem.

EXAMPLES

Here is some commands examples.

MOUNTING

Mounting device /dev/hda5 on /tmp/fuse empty directory:

                tskmount /dev/hda5 /tmp/fuse

Wait the "Ready" message before going to the mountpoint /tmp/fuse.

UNMOUNTING

Unmounting the filesystem:

                fusermount -u /tmp/fuse

A FULL EXAMPLE

Mounting device /dev/sda1 a USB pen device, to recover deleted file.

                su -c "chmod o+r /dev/sda1"         # make readable
                mkdir /tmp/fuse                     # create mountpoint
                tskmount -f /dev/sda1 /tmp/fuse &   # wait "Ready"
                ls /tmp/fuse/                       # show content
                cp /tmp/fuse/... .                  # copy your file
                fusermount -u /tmp/fuse             # unmount
                su -c "chmod o-r /dev/sda1"         # reset permissions

COPY A LARGE FILE

Copy a large file named "/tmp/fuse/foo (deleted_12345)" using icat(1) command from The Sleuth Kit package.

        # at the end of the filename you can get the real inode to use
        # as last argument of icat command

                icat -r /dev/sda1 12345 >/tmp/foo_recovery

NOTES

Device or image file must be readable by the user, so you may have to do a chmod(1) like "chmod o+r device" as root before if you intend to use tskmount with common user rights. And don't forget to "chmod o-r device" after unmounting :-)

Copying files is really slow and if size is more than 8 MB you shouldn't try to copy the file directly. Instead use the icat(1) sleuthkit command like tskmount will show you in the alert message.

Command line find(1) should be used with -noleaf option to work properly.

Mounted filesystem is readonly.

Don't expect miracle, only a small part of the files can be recovered. Generaly the more recent.

BUGS

Let me know at http://tskmount-fuse.sourceforge.net/.

AUTHOR

Jean Diraison <jean.diraison@ac-versailles.fr>, <jean.diraison@ac-rennes.fr>

AVAILABILITY

tskmount(8) is part of TSKmount-Fuse package, a Fuse filesystem written in perl and based on The Sleuth Kit tools. It is intended to provide an easy way to recover deleted files over ext2, vfat (FAT 12/16/32) and NTFS filesystems. Latest version can be downloaded at http://tskmount-fuse.sourceforge.net/.

COPYRIGHT

Copyright © 2007 Jean Diraison. There is NO warranty. You may redistribute this software under the terms of the GNU General Public License version 2. For more information about these matters, see the files named COPYING.