http://www.forensicswiki.org/wiki/Helix3
http://www.sleuthkit.org/index.php
恢复步骤:
root@srv01 [/home/recovery]# ./fls -a -r -p /dev/sdb3 > sdb3usrdirlist.txt
root@srv01 [/home/recovery]# grep -i "access_log" /home/recovery/sdb3usrdirlist.txt
r/r 2195490: local/cpanel/logs/access_log
r/r * 2199010(realloc): local/cpanel/logs/access_log-cpanelsync
r/r 2362208: local/apache/logs/access_log
root@srv01 [/home/recovery]# ./icat -r -s -f ext3 /dev/sdb3 2195490 > /tmp/access_log
root@srv01 [/home/recovery]# ls -la /tmp/access_log
-rw-r--r-- 1 root root 13312000 Jun 11 03:38 /tmp/access_log
root@srv01 [/home/recovery]#