Recovering

==========

Create a new case directory

mkdir /forensic/case && cd /forensic/case

Install Hexedit

sudo apt-get install hexedit -y

Run Hexedit

hexedit /forensic/disk.img

Syntax

    F1:          help
    F2:          save
    F3:          load file
    Ctrl-Z:      suspend
    Ctrl-X:      save and exit
    Ctrl-C:      exit without saving
    Ctrl-U:      undo all
    Ctrl-S:      search forward

Find the start of the JPEG (ffd8ffe1)

Ctrl-S
Hexa string to search: ffd8ffe1

Output (offset)

---  disk.img       --0x840C00/0x6400000--------------------------------------------------------------------
````

## Calculate the start location of the JPEG (in bytes)
```bash
echo "ibase=16;0840C00" |

Output

8653824

Find the end of the JPEG (ffd9)

hexedit /forensic/disk.img

Search for hexadecimal string ffd9

Ctrl-S
Hexa string to search: ffd9

Output (offset)

---  disk.img       --0x85CCCD/0x6400000--------------------------------------------------------------------

Calculate the end of the JPEG (in bytes)

echo "ibase=16;85CCCD" | bc

Output

Carve the image using dd command

dd if=/forensic/disk.img of=/forensic/case/001.jpg skip=8653824 bs=1 count=8768717

Display the image

xdg-open 001.jpg

Using Scalpel

Create a local copy of scalpel.conf file

cp /etc/scalpel.conf /forensic/case/

Verify/Edit the scalpel configuration

vim scalpel.conf

Use Scalpel to carve files

scalpel -c scalpel.conf /forensic/disk.img

Results

ls  -R /forensic/case/scalpel-output/

Output

/forensic/case/scalpel-output/:
audit.txt  jpg-6-0  rpm-41-0  tif-9-0

/forensic/case/scalpel-output/jpg-6-0:
00000000.jpg  00000001.jpg  00000002.jpg

/forensic/case/scalpel-output/rpm-41-0:
00000006.rpm  00000007.rpm  00000008.rpm  00000009.rpm  00000010.rpm  00000011.rpm  00000012.rpm  00000013.rpm  00000014.rpm  00000015.rpm  00000016.rpm  00000017.rpm  00000018.rpm  00000019.rpm  00000020.rpm

/forensic/case/scalpel-output/tif-9-0:
00000003.tif  00000004.tif  00000005.tif

Using Foremost

Install foremost

sudo apt-get install foremost -y

Change to our working directory

cd /forensic/case/

Use Foremost to carve jpg files

    foremost -t jpg -o foremost-output /forensic/disk.img

Results

ls -lR foremost-output/

Output

foremost-output/:
total 8
-rw-r--r--. 1 root root  817 Jun 27 10:11 audit.txt
drwxr-xr--. 2 root root 4096 Jun 27 10:11 jpg

foremost-output/jpg:
total 440
-rw-r--r--. 1 root root 114895 Jun 27 10:11 00016902.jpg
-rw-r--r--. 1 root root 132203 Jun 27 10:11 00017128.jpg
-rw-r--r--. 1 root root 195148 Jun 27 10:11 00017388.jpg

References:

Deleted Partition

Objectives:

Requisites:

Add a 512M Disk to your virtual machine

Create a new disk partition

fdisk /dev/sdb

Welcome to fdisk (util-linux 2.25.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.

Device does not contain a recognized partition table.
Created a new DOS disklabel with disk identifier 0x109df081.

Command (m for help): n
Partition type
    p   primary (0 primary, 0 extended, 4 free)
    e   extended (container for logical partitions)
Select (default p): 

Using default response p.
Partition number (1-4, default 1): 
First sector (2048-1048575, default 2048): 
Last sector, +sectors or +size{K,M,G,T,P} (2048-1048575, default 1048575): 

Created a new partition 1 of type 'Linux' and of size 511 MiB.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Create an ext4 filesystem

mkfs.ext4 /dev/sdb1
````

## Output:

```bash
mke2fs 1.42.11 (09-Jul-2014)
Creating filesystem with 523264 1k blocks and 131072 inodes
Filesystem UUID: 4c904ba1-5a8c-42a6-8d97-5c7d3b0803ce
Superblock backups stored on blocks: 
    8193, 24577, 40961, 57345, 73729, 204801, 221185, 401409

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (8192 blocks): done
Writing superblocks and filesystem accounting information: done

Create a mountpoint

mkdir /mnt/flashdrive

Mount the filesystem

mount /dev/sdb1 /mnt/flashdrive

Download some sample files to the Flashdrive

cd /mnt/flashdrive

curl -0 https://www.photos-public-domain.com/wp-content/uploads/2017/12/gray-cat-with-green-eyes.jpg --output cat-0.jpg

curl -0 https://www.photos-public-domain.com/wp-content/uploads/2012/10/orange-and-white-cat-in-window-sill.jpg --output cat-1.jpg

curl -0 https://www.photos-public-domain.com/wp-content/uploads/2012/04/funny-cat-hanging-upside-down-on-kitty-tree.jpg --output cat-2.jpg

List the files and inodes

ls -li /mnt/flashdrive/*.jpg

Unmount the filesystem

cd 
umount /mnt/flashdrive

Delete the partition ⌫

fdisk /dev/sdb 

Welcome to fdisk (util-linux 2.25.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.


Command (m for help): d
Selected partition 1
Partition 1 has been deleted.

Command (m for help): w
The partition table has been altered.
Calling ioctl() to re-read partition table.
Syncing disks.

Try to mount the filesystem

mount /dev/sdb1 /mnt/flashdrive

Output

mount: special device /dev/sdb1 does not exist

Forenseic Recover using Scapel and dcfldd

Optional

Record typescript of terminal session:

script -a -t 2> case.time case.log
Play back typescripts, using timing information

scriptreplay case.time case.log

Create a case folder

mkdir -p /forensic/case && cd /forensic/case

Create a copy of the evidence

Install dcfldd

sudo apt-get install dcfldd -y

Copy the disk and create hash

    dcfldd if=/dev/sdb of=flashdrive.dd hash=md5 hashlog=flashdrive.md5

Install Scalpel

sudo apt-get install scalpel -y

Create a local copy of scalpel.conf file

cp /etc/scalpel.conf /forensic/case/

Edit the scalpel configuration

Hexadecimal

cd /tmp

curl -0 https://www.photos-public-domain.com/wp-content/uploads/2017/12/gray-cat-with-green-eyes.jpg --output cat-0.jpg

hexdump cat-0.jpg | head

Output of 'cat-0.jpg' hexdump (head)

0000000 d8ff e0ff 1000 464a 4649 0100 0101 4800
0000010 4800 0000 e1ff ce30 7845 6669 0000 4d4d
0000020 2a00 0000 0800 0900 0f01 0200 0000 0900
0000030 0000 7a00 1001 0200 0000 0700 0000 8400
0000040 1a01 0500 0000 0100 0000 8c00 1b01 0500
0000050 0000 0100 0000 9400 2801 0300 0000 0100
0000060 0200 0000 3201 0200 0000 1400 0000 9c00
0000070 1302 0300 0000 0100 0100 0000 6987 0400
0000080 0000 0100 0000 b000 2588 0400 0000 0100
0000090 0000 320f 0000 580f 6f4d 6f74 6f72 616c

Carving files

scalpel -c scalpel.conf flashdrive.dd

Results

ls -R /forensic/case/scalpel-output

Output

/forensic/case/scalpel-output:
audit.txt  jpg-6-0  rpm-41-0  tif-9-0

/forensic/case/scalpel-output/jpg-6-0:
00000000.jpg  00000001.jpg  00000002.jpg

/forensic/case/scalpel-output/rpm-41-0:
00000006.rpm  00000007.rpm  00000008.rpm  00000009.rpm  00000010.rpm  00000011.rpm  00000012.rpm  00000013.rpm  00000014.rpm  00000015.rpm  00000016.rpm  00000017.rpm  00000018.rpm  00000019.rpm  00000020.rpm

/forensic/case/scalpel-output/tif-9-0:
00000003.tif  00000004.tif  00000005.tif

Alternative way

Use fdisk to obtain the start Sector

fdisk -l flashdrive.dd

Disk flashdrive.dd: 512 MiB, 536870912 bytes, 1048576 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0x238f1d05

Device     Boot Start     End Sectors  Size Id Type
flashdrive.dd1          2048 1048575 1046528  511M 83 Linux

Use BC to calculate the offset

bc
2048 * 512
1048576

Mount the filesystem

mount -o ro,loop,offset=1048576 flashdrive.dd /mnt/flashdrive/

List the files

ls -lia /mnt/flashdrive/*.jpg

Output

14 -rw-r--r--. 1 root root 195148 Jun 27 11:26 /mnt/flashdrive/cat-0.jpg
13 -rw-r--r--. 1 root root 132203 Jun 27 11:26 /mnt/flashdrive/cat-1.jpg
12 -rw-r--r--. 1 root root 114895 Jun 27 11:26 /mnt/flashdrive/cat-2.jpg

Unmount the filesystem

cd 
umount /mnt/flashdrive

References: