Andrew Case · Feb 8, 2015 · 4:43 PM UTC

Andrew Case @attrc

8 Feb 2015

Can you recover deleted but running exes on live OS X? Linux example of it: pastebin.com/LC3dj152 CC: @iamevltwin @osxreverser #DFIR

Sarah Edwards 👩🏻‍💻🐈‍⬛ · Feb 8, 2015 · 4:45 PM UTC

Sarah Edwards 👩🏻‍💻🐈‍⬛ @iamevltwin

8 Feb 2015

@attrc @osxreverser Can't say I've ever tried. :\

Hal Pomeranz · Feb 8, 2015 · 5:46 PM UTC

Hal Pomeranz @hal_pomeranz

8 Feb 2015

@iamevltwin @attrc @osxreverser "lsof +L1" to show unlinked open file CNID, then icat to recover?

Andrew Case · Feb 8, 2015 · 6:17 PM UTC

Andrew Case @attrc

8 Feb 2015

@hal_pomeranz I will try that if I can figure out why TSK won’t compile. That didn’t work on Linux though

Hal Pomeranz · Feb 8, 2015 · 6:23 PM UTC

Hal Pomeranz · Feb 8, 2015 · 6:23 PM UTC

Hal Pomeranz @hal_pomeranz

8 Feb 2015

Replying to @attrc

@attrc Just tested it on my Yosemite box and it worked fine. I've done it on Linux too-- though there you can just use /proc/<pid>/exe

Feb 8, 2015 · 6:23 PM UTC

Hal Pomeranz · Feb 8, 2015 · 6:30 PM UTC

Hal Pomeranz @hal_pomeranz

8 Feb 2015

@attrc Hadn't looked at the pastebin-- but, yes, I just tested recovering deleted binary from a deleted directory with lsof/icat/Yosemite

Andrew Case · Feb 8, 2015 · 6:33 PM UTC

Andrew Case @attrc

8 Feb 2015

@hal_pomeranz ah nice. Can you pastebin istat on the file and it's directory ?

Andrew Case · Feb 8, 2015 · 6:24 PM UTC

Andrew Case @attrc

8 Feb 2015

@hal_pomeranz you tested with deleting the directory of the file and not just the file itself ? See the pastebin