> > > Now I want to recover xMail (contains mbox files). sleuthkit only
> > > finds Mail/xMail with no content. It also doesn't find any of the
> > > contained mboxes.

> > Try Lazarus instead.

> Have any URL or package name? Found lots of references but no
> way to actually get it.

In /usr/ports/sysutils/tct you will find "The Coroners Toolkit"
Lazarus is part of that program. Do NOT confuse it with
lazarus in the editors.

You need to unmount what you have so you don't lose any more files.
Lazarus will go ahead and recover only blocks with data, which
makes it nicer than dd which will take everything off the disk
including unused blocks.

The data will be saved in sets of files which can be viewed in
HTML, or read directly with editors.

You need some space to put the data ON ANOTHER FILESYSTEM - or on
another drive - as you can't put it on the drive you are trying to
recover - as you will over-write the data you are trying to get.

I don't even recall if it will let you do that.

It is not a newbie program. It was written by Wietse Venema and
Dan Farmer. The program in the ports is 1.16.

So you probably want to go to http://www.porcupine.org/forensics
to get 1.18

SO it's not really in the ports anymore - I just checked.


