Hello, linux_find_file can find files in any file system and pulls data directly from the cache you are describing. Also, I am aware that linux_find_file can be slow to deal with since you have to query each file then run the plugin again to extract it. With that in mind I wrote the recover file system plugin that will be included with the book & Volatility 2.4. For this plugin you just give it the output directory (-D) and it will write all files from the cache out in the directory structure they were on disk. That plugin is attached. To use it just copy it under volatility/plugins/linux (assuming you use the src distribution). If you use the stand alone exe then make a folder, put the plugin in that folder, then pass the path to the folder to the --plugins option to volatility. For this to work --plugins must be the first option after vol<..>.exe. Let me know if you have any issues with the plugin. Please note you must run the plugin as root in order for the metadata fix up to work (so that script can own files to root as they were on the drive you are extracting from). Thanks, Andrew (@attrc) On 4/11/2014 4:07 PM, Sebastian Biedermann wrote: