Computer Forensics 101 Series - Forensic Imaging and Data Recovery using Linux and open source tools

Author: Jeremy Martin
14563 View
4m 46s Lenght
54 Rating

Information Warfare Center's Computer Forensics 101 Series - Forensic Imaging and Data Recovery using Linux and open source tools. Un-deleting Vs. Data carving Un-deleting is the act recovering data from a file system after it has been deleted. This means that the record in the file system's index (FAT, MFT, Catalog, etc...) still points to the location of the data on the drive. With the older FAT file systems, the first record of the file name is overwritten with the hex character set "E5". When you recover the data, you have the original file name along with the file. This method of recovery is a far faster than data carving. Data carving does no look for a file system index. Instead, this method starts at the beginning of the data set and searches for the header (first few bytes) and/or footer (last few bytes) of a file. For example, a common header of a .JPG file is the hex combination "FFD8FFE0" with a footer of "FFD9". When a data carving utility finds the header, it copies the data until it finds the footer and that becomes a recovered data set or file. Some of the programs will even allow you to ignore the footer to recover "partially recoverable files". The challenge with not looking for the footer of a file type means that you will get a lot more false positives. What can you carve? Well, any data container that may contain files. What I mean by that is you can carve an entire disk, a partition, a raw copy of a drive, a swap file (pagefile.sys in windows), and even memory. You can even recover data from a drive that had an operating system reinstalled over a previous system. During this section of training, we will make a forensically sound bit-stream image of a "suspect" USB thumbdrive. After the raw image is complete, we will use several tools to recover "evidence" including mounting the raw DD image to data carving both deleted and undeleted files. Some of the open source Linux tools we will take a look at are RecoverJPEG, Foremost, and Scalpel. Now for the work. You will need to be running a Linux distro with the following tools installed: dcfldd recoverjpeg foremost scalpel All of these tools are run from the command line and like most of these type of tools, you will need to run them with root. You can either log in as root or use the sudo command. Example: sudo fdisk -l Finding the drive: root@system:# fdisk -l root@system:# dmesg | grep sd root@system:# ls /dev/sd* Using Dcfldd root@system:# dcfldd if=/dev/sdb1 of=forensic-image.dd hashwindow=0 hashlog=hash.txt root@system:# cat hash.txt Using Mount root@system:# mkdir /mnt/evidence root@system:# mount forensic-image.dd /mnt/evidence root@system:# cd /mnt/evidence root@system:/mnt/evidence# ls Using RecoverJPEG root@system:# recoverjpeg forensic-image.dd Using Foremost Only generate an audit file and print to the screen (verbose mode) root@system:# foremost -av forensic-image.dd Search all defined types root@system:# foremost -t all -i forensic-image.dd Search for gif and pdf root@system:# foremost -t jpg,pdf -i forensic-image.dd Run the default case root@system:# foremost forensic-image.dd Using Scalpel root@system:# scalpel forensic-image.dd -o Directory By default, all file types in the database (/etc/scalpel/scalpel.conf) are commented out. To specify which file types you want to carve, you need to edit the file and uncomment each line. Now, the trick is to use all of the tools in your disposal and compare. The easiest way to do this is to create the "evidence" drive yourself and documenting every file on the drive. Then delete several of the files or folders. At this point, you have a known baseline to start from. Create the dd raw image to analyze with the various methods.

Comments

  1. how can image the computer hard disk it self
  2. Why do you bother showing all the screens if you are going to fly through them at warp speed?

    Is your goal to show them how fast you are at it, or is the goal to instruct others?
  3. Hello Jeremy,
    thank you the video, but I have quotation, how to create forensic image for training?

    And image that include operating system but can be small size file such 1GB.
  4. Nice and quick .... I like it coz others are boring n take too much time in explaining ...thumbs up!!!!
  5. Which Linux distro did you use for this tutorial?
  6. can we recover data after using dban