File Recovery

Press the button below to create the example to work on in this question. It will create the file /home/caine/dimg2.dd.

Examine the dimg2.dd file and identify the start sector, byte offset to start sector, and filesystem type.

Using the fls command examine the files present in partition 00:00.

Identify any files which are deleted, and list the inodes in the box below in the format "1,2,3,4". Put the inodes in ascending order and do not type any spaces into the answer.

Examine the first three of the deleted files you have identified in more detail by examining their inode information. With the inode information complete the following table, ordering the information by ascending inode number:

All three files share the same First Sector, and have many sectors in common.
Why? This is normal behaviour for the FAT filesystem This is a specially compressed FAT filesystem This is ok for deleted files as it doesnt matter for them The metadata for the files is corrupted somehow

Use icat and xxd to view the first and last sectors of each inode. Note the result and consider what this means in comparison to the file extensions of each file you listed above. Remember to format hex numbers using the format 0x0000. In this question a Signature is the first 2 bytes of a file, and the tail signature is the last 2 bytes.

In this case only File 2 has a valid start and end signature which matches its file extension, so it is likely the metadata of File 2 is valid and thus the metadata of File 1 and File 3 is invalid.

Use icat and recover File 2. Save the recovered file to /home/caine/file2.jpg.

The file order File 1 identified in the previous questions had an extension which suggested it was a JPEG file, but that the clusters containing its data had been lost. In this question you will try to find the lost clusters using sigfind. Use sigfind command to find all files which contain the jpeg start signature. What is the first sector found by sigfind?

Is this sector from the beginning of the disk or is it from the beginning of the partition? Beginning of the DISK Beginning of the PARTITION Bytes from the beginning of the DISK

Using ifind to see if this sector is associated with an inode. Use the command below substituting SectorInQuestion for the sector you are checking. What is the result?

  ifind -o 63 dimg2.dd -d SectorInQuestion

Assuming that the sectors associated with this jpeg are contiguous (i.e. one after the other in continuous sectors) look for the end of jpeg signature and calculate the overall length. Use dd to load each sector, starting from the sector you identified above, and look for a jpeg tail signature followed by some 00 bytes. From this calculate the clusters used and file size.
File size in bytes:
Clusters Used:
Slack space in bytes:

Hint. You can assume that the file is less than or equal to 100 sectors in size. Thus you could dd all 100 sectors, then grep for the tail signature using a pipe.

Use dd to copy this file, and save it to file1.jpg in /home/caine. Make sure the file is the right length, and remember to use disk offsets and not partition offsets.

The second file (File 3) which needs to be recovered has an extension identified above as ".txt". This is likely to be a text file. This is harder to automatically search for, but in this case you have been told that the missing text file is about the SHA1 standard. You can use this to help search for the file.

Use the following command to search for occurances of "sha1" on the disk.

/usr/local/bin/blkls -e -o 63 -i raw dimg2.dd |  grep -ba sha1 | cut -d: -f1 > /home/caine/bsearch

Examine the bsearch file you just created, and take the first offset in the file. What sector of partition 1 does that offset lie in?
Partition sector:

Convert the partition sector to a disk sector, then use dd and xxd to scan from that point of the disk onwards looking for the end of the text file. On the right of the xxd output you can see the ASCII text of the file. 0x00 rarely appears in a normal text file, so one approach is to look for the start of a stream of 0x00 characters, and the non 0x00 character immediately before this stream starts will be the end of the text file.

Hint: Assume the file is smaller than 100 sectors. You could use grep to look for 0000, but note that the string "0000" appears in this file, so prepare for false matches due to matching the ASCII translation.
File size in bytes:
Clusters Used:
Slack space in bytes:

Use the dd command to copy this file and save it to /home/caine/file3.txt. Again make sure the file is the right length and that you are using disk offsets not partition offsets.

Press the button to delete the img file.