If you can see this check that

Main Page

Deleted file recovery

Deleted file recovery and file carving . command line
User:
Password:

Objectives

This lab deals with searching for deleted files within the image. It will introduce you to command line tools required to find and recover deleted files. To recover deleted file you will use icat command and if file cannot be recovered due to starting claster of the file is overwritten you will use file curving to recover the data.

Question 1: Searching for deleted files

In this exercise we will use USB image called usbimg1.dd. It should be located in /images directory.

Make sure that you have /evidence directory located in /home/caine/

Tests - not attempted
/home/caine/evidence exists UNTESTED

Use the mmls command to check the layout of the usbimg1.dd image

what kind of file system is installed in the first partition?

Tests - not attempted
Correct filesystem UNTESTED

List all the files from the image by using fls command.

Are there any deleted files? List all the inodes of the deleted files in the format "1,2,3,4". Put the inodes in ascending order and do not includes spaces in the string.

Tests - not attempted
Inodes are correct UNTESTED

What is the name of the first of these deleted files.


Tests - not attempted
First deleted name UNTESTED

Inspect the metadata of both files by using istat command.

What is the Directory Entry status for inode 10?

Tests - not attempted
Directory Entry status? UNTESTED

Record the size and the first and last sector number for the inodes which relate to the first two deleted files found earlier.
First File: First Sector Last Sector
Second File: First Sector Last Sector

Tests - not attempted
First File Start Sector UNTESTED
First File End Sector UNTESTED
Second File Start Sector UNTESTED
First File Start Sector UNTESTED

Inspect the first and the last sector of the inode 10 by using dd and hexdump (xxd) commands. Save the xdd output in to two seperate files called first_sector.txt and last_sector.txt. Make sure that you place both files in to /evidence directory.

Hint: Do not forget about offset 63

Tests - not attempted
first_sector ok UNTESTED
last_sector ok UNTESTED

Open both files and check the signature and the footer of the jpg file. Record both values. Use hex in the format 0x0000.
First File: signature footer
Second File: signature footer

Tests - not attempted
First file signature UNTESTED
First file trailer UNTESTED
Second file signature UNTESTED
First file trailer UNTESTED

Based on the output from the last_sector.txt file calcuate the size in bytes of the slack space.
Slack bytes

Tests - not attempted
Slack Bytes UNTESTED

Is there any data located in the slack space?

Tests - not attempted
Data in slack space UNTESTED

Question 2: File Recovery

Assume that there is a jpeg on the usb image which has lost its metadata. Use sigfind to find all files which contain the jpep signature. What is the second last one found by sigfind?
Second last block:

Tests - not attempted
2nd last match UNTESTED

Using xxd and dd, go one block at a time (assuming that the file is not fragmented, and find the end block using what you know about the trailing marker for jpegs.
end block:

Tests - not attempted
Last block UNTESTED

What is the overall length in bytes of this jpeg file?
length:

Tests - not attempted
Length in bytes UNTESTED

Extract the whole file using "dd". The starting offset in bytes is the first block * 512. So use: 

  dd if=/images/usbimg1.dd bs=1 skip=START_IN_BYTES count=LENGTH_IN_BYTES of=/home/caine/evidence/img.jpg

Tests - not attempted
img.jpg contains the right stuff UNTESTED
Linux tutorials: intro1 intro2 wildcard permission pipe vi essential admin net fwall DNS diag Apache1 Apache2 MySQL1 MySQL2
Caine 3.0: Essentials | Basic | Search | SysIntro | 5a | 5b | 5c | 6 | 7 | 8a | 8b | WebBrowserA | WebBrowserB | Registry
Useful: Quiz | Forums | Privacy Policy | Terms and Conditions
Site Links:XMLZoo ActiveSQL ProgZoo SQLZoo

Copyright @ 2004-2012 Gordon Russell. All rights reserved.