Challenge DC3 2012
A digital forensics challenge was organized each year by DC3.
403 - Deleted Drive Recovery
In short, the organizer are looking for an utility or methodology which can operate in either a Windows or Linux environment to recover data that has been deleted/ erased / overwritten to prevent recovery.
An archive is provided with 3 disk image to analyze.
unzip -v Files.zip
Archive: Files.zip
Length Method Size Cmpr Date Time CRC-32 Name
-------- ------ ------- ---- ---------- ----- -------- ----
0 Stored 0 0% 12-13-2011 07:53 00000000 Files/
526385664 Defl:X 10192663 98% 08-17-2011 09:43 a28d8353 Files/DR-3.dd
526385664 Defl:X 510856 100% 08-17-2011 11:00 d84d44a5 Files/DR-2.dd
534578688 Defl:X 534664776 0% 08-17-2011 09:36 16cefb31 Files/DR-1.dd
-------- ------- --- -------
1587350016 545368295 66% 4 files
DR-1.dd
File can't be compressed, content is random/pseudo-random. It can also be a TrueCrypt volume.
DR-2.dd
hexdump -C Files/DR-2.dd 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 1f600200
Content is only zero. There is no data to recover.
DR-3.dd
hexdump -C DR-3.dd |head 00000000 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| * 00081600 f8 ff ff 0f ff ff ff 0f f8 ff ff 0f 04 00 00 00 |................| 00081610 05 00 00 00 06 00 00 00 07 00 00 00 08 00 00 00 |................| 00081620 09 00 00 00 0a 00 00 00 0b 00 00 00 0c 00 00 00 |................| 00081630 0d 00 00 00 0e 00 00 00 0f 00 00 00 10 00 00 00 |................| 00081640 11 00 00 00 12 00 00 00 13 00 00 00 14 00 00 00 |................| 00081650 15 00 00 00 16 00 00 00 17 00 00 00 18 00 00 00 |................| 00081660 19 00 00 00 1a 00 00 00 1b 00 00 00 1c 00 00 00 |................| 00081670 1d 00 00 00 1e 00 00 00 1f 00 00 00 20 00 00 00 |............ ...|
The beginning is composed of zero followed by "f8 ff", this value is always found at the beginning of each FAT copies of a FAT filesystem. In our case, the FAT boot sector, the FAT backup boot sector and the first copy of the FAT have been zero-ed. Let's run "testdisk DR-3.dd", choose None for the partition table type, Advanced, Type, FAT32, RebuildBS, confirm than cluster 2 is the root directory
TestDisk 6.14-WIP, Data Recovery Utility, November 2011 Christophe GRENIER <grenier@cgsecurity.org> https://www.cgsecurity.org P FAT32 0 0 1 63 253 63 1028097 Cluster 2, Directory / found ? Answer Y(es), N(o), Q(uit) or A(bort interactive mode). N or A if not sure. >-rwxr-xr-x 0 0 476708 20-Jul-2011 10:26 CDFAE_4_300px.png -rwxr-xr-x 0 0 2405735 20-Jul-2011 19:27 CDFAE Fact Sheet_2011_7_20.pdf -rwxr-xr-x 0 0 2425913 28-Jul-2011 12:55 CDFAE Summary_2011_7_27.pdf -rwxr-xr-x 0 0 58444 6-Apr-2011 16:27 ChallengeONBlack.jpg drwxr-xr-x 0 0 0 16-Aug-2011 15:28 .Trash-1000
Choose List to navigate in the filesystem
TestDisk 6.14-WIP, Data Recovery Utility, November 2011
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
P FAT32 0 0 1 63 253 63 1028097
Directory /
>-rwxr-xr-x 0 0 476708 20-Jul-2011 09:26 CDFAE_4_300px.png
-rwxr-xr-x 0 0 2405735 20-Jul-2011 18:27 CDFAE Fact Sheet_2011_7_20.pdf
-rwxr-xr-x 0 0 2425913 28-Jul-2011 11:55 CDFAE Summary_2011_7_27.pdf
-rwxr-xr-x 0 0 58444 6-Apr-2011 15:27 ChallengeONBlack.jpg
-rwxr-xr-x 0 0 4551563 13-May-2010 12:42 FX Logo Graphics Ideas.pptx
drwxr-xr-x 0 0 0 16-Aug-2011 14:28 .Trash-1000
Use Right to change directory, h to hide deleted files
q to quit, : to select the current file, a to select all files
C to copy the selected files, c to copy the current file
Choose Write and confirm to write the new boot sector. This will rewrite the
first 3 sectors of the image. Next step is to check the FAT table, choose Repair FAT
and confirm you want to repair the FAT1 with the FAT2, this will overwrite the first copy with the second.
You can now use any tool to access the data.