TestDisk and PhotoRec in various digital forensics testcase

From CGSecurity
Jump to: navigation, search

Test your knowledge

Try the Data Recovery with PhotoRec quiz at http://moodle.cgsecurity.org

Digital Forensics Tool Testing Images

Digital Forensics Tool Testing Images (DFTT) can be downloaded at http://dftt.sourceforge.net

Extended DOS Partition Test

  • Test: Most DOS partition tools will not allow the user to create a third entry in an extended partition. A test image was created by modifying the partition table by hand with a hex editor and the system was booted. Both Windows and Linux read the third entry in the extended partition table and allowed the user to mount the partition. This test was to verify that forensic tools also allowed the investigator to view the partition in the third entry.
  • Result: Passed, TestDisk shows all six FAT16 partitions.
testdisk -lu ext-part-test-2.dd 
TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
Please wait...
Disk ext-part-test-2.dd - 159 MB / 152 MiB - CHS 155 32 63 (RO), sector size=512

Disk ext-part-test-2.dd - 159 MB / 152 MiB - CHS 155 32 63 (RO)
     Partition			Start        End    Size in sectors
check_FAT: Unusual number of reserved sectors 2 (FAT), should be 1.
Warning: Incorrect number of heads/cylinder 255 (FAT) != 32 (HD)
 1 P FAT16 <32M                    63      52415      52353 [NO NAME]
check_FAT: Unusual number of reserved sectors 8 (FAT), should be 1.
Warning: Incorrect number of heads/cylinder 255 (FAT) != 32 (HD)
 2 P FAT16 <32M                 52416     104831      52416 [NO NAME]
check_FAT: Unusual number of reserved sectors 8 (FAT), should be 1.
Warning: Incorrect number of heads/cylinder 255 (FAT) != 32 (HD)
 3 P FAT16 <32M                104832     157247      52416 [NO NAME]
 4 E extended                  157248     312479     155232
Partition Table contains two or more Primary DOS FAT partitions
No partition is bootable
A logical partition must contain only one partition
check_FAT: Unusual number of reserved sectors 2 (FAT), should be 1.
Warning: Incorrect number of heads/cylinder 255 (FAT) != 32 (HD)
 5 L FAT16 <32M                157311     209663      52353 [NO NAME]
check_FAT: Unusual number of reserved sectors 2 (FAT), should be 1.
Warning: Incorrect number of heads/cylinder 255 (FAT) != 32 (HD)
 6 L FAT16 <32M                209727     262079      52353 [NO NAME]
   X extended                  262080     312479      50400
 7 L FAT16 >32M                262143     312479      50337

FAT Undelete Test #1

  • Test: This test image is a 6MB FAT file system with six deleted files and two deleted directories. The files range from single cluster files to multiple fragments.
  • Procedure

Run testdisk 6-fat-undel.dd, Partition type: None, Advanced, Undelete, for each file, select it and press c to copy it.

TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
   P FAT16                    0   0  1     5  30 62      12032 [NO NAME]
Directory /

>-rwxr-xr-x     0     0      1584 14-Feb-2004 12:51 _RAG1.DAT
 -rwxr-xr-x     0     0      3873 14-Feb-2004 12:52 _RAG2.DAT
 -rwxr-xr-x     0     0       780 14-Feb-2004 12:52 _ING.DAT
 -rwxr-xr-x     0     0      3801 14-Feb-2004 21:20 _ULT1.DAT
 drwxr-xr-x     0     0      1024 14-Feb-2004 12:53 _IR1
 drwxr-xr-x     0     0      1024 14-Feb-2004 12:53 System Volume Information

Use Right arrow to change directory, c to copy,
    h to hide deleted files, q to quit
  • Results

1. Can you see the frag1.dat, frag2.dat, sing.dat, mult1.dat, and dir1 file and directory names in the root directory?

Yes but the first char is missing as expected

2. Can you see the dir2 and mult2.dat names in the dir1 directory?

Yes

3. Can you see the frag3.dat name in the dir1\dir2 directory?

Yes

4. Can you recover the sing.dat file? Does it have the correct MD5?

Yes

5. Can you recover the mult1.dat file? Does it have the correct MD5?

Yes

6. Can you recover the dir1\mult2.dat file? Does it have the correct MD5?

Yes

7. Can you recover the frag1.dat file? Does it have the correct MD5?

Incorrect MD5

8. Can you recover the frag2.dat file? Does it have the correct MD5?

Incorrect MD5

9. Can you recover the dir1\dir2\frag3.dat file? Does it have the correct MD5?

Incorrect MD5

TestDisk has found all the deleted files but fragmented files aren't recovered correctly.

NTFS Undelete (and leap year) Test #1

  • Test: This test image is a 6MB NTFS file system with eight deleted files, two deleted directories, and a deleted alternate data stream. The files range from resident files, single cluster files, and multiple fragments.
  • Procedure:

Run testdisk 7-ntfs-undel.dd, Partition type: None, Advanced, Undelete

TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
   P NTFS                     0   0  1     5  30 62      12032 [NTFS_DEL]
Deleted files

>./frag1.dat                                                               29-Feb-2004 21:00    1584
 ./frag2.dat                                                               29-Feb-2004 21:02    3873
 ./mult1.dat                                                               29-Feb-2004 21:02    3801
 ./res1.dat                                                                29-Feb-2004 21:05     101
 ./sing1.dat                                                               29-Feb-2004 21:01     780
 /dir1/dir2/frag3.dat                                                      29-Feb-2004 21:03    2027
 /dir1/mult2.dat                                                           29-Feb-2004 21:03    1715
 sing2.dat                                                                 29-Feb-2004 21:04    1005

Use : to select the current file, a to select/deselect all files,
    C to copy the selected files, c to copy the current file, q to quit
  • Results:

1. Can you see any of the deleted file names? Which ones?

All the files are listed, the alternate datastream mult1.dat:ADS is listed since version 6.13.

2. Can you recover the res1.dat file? Does it have the correct MD5?

Perfectly recovered.

3. Can you recover the sing1.dat file? Does it have the correct MD5?

Perfectly recovered.

4. Can you recover the dir3\sing2.dat file? Does it have the correct MD5?

The file is recovered with the name sing2.dat instead of dir3\sing2.dat. Checkum is ok.

5. Can you recover the mult1.dat file? Does it have the correct MD5?

Perfectly recovered.

6. Can you recover the mult1.dat:ADS file? Does it have the correct MD5?

Perfectly recovered.

7. Can you recover the dir1\mult2.dat file? Does it have the correct MD5?

Perfectly recovered.

8. Can you recover the frag1.dat file? Does it have the correct MD5?

Perfectly recovered.

9. Can you recover the frag2.dat file? Does it have the correct MD5?

Perfectly recovered.

10. Can you recover the dir1\dir2\frag3.dat file? Does it have the correct MD5?

Perfectly recovered.

11. Are the dates properly shown to be from Feb 29, 2004? (testing leap year support)

Yes, no problem

Basic Data Carving Test #1

  • Test: This test image is a FAT32 file system and is intended to test data carving tools and their ability to extract various file formats. The image contains several allocated and deleted files and the header one JPEG file was modified ( to show the importance of ignoring corrupted files). The FAT boot sector has been corrupted so that the image cannot be mounted and therefore data carving methods must be used to extract the files.

Repairing the damaged boot sector using TestDisk

  • Procedure: run testdisk 11-carve-fat.dd, Partition type: None, Advanced, change the type to FAT16, Boot, RebuildBS, List
TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
   P FAT16                    0   0  1     7 229 31     126913
Directory /

>-rwxr-xr-x     0     0     19968  9-Mar-2005 13:25 2003_document.doc
 -rwxr-xr-x     0     0   8037267  9-Mar-2005 13:25 _OMOPERS.WMV
 -rwxr-xr-x     0     0    318895  9-Mar-2005 13:25 enterprise.wav
 -rwxr-xr-x     0     0     24367  9-Mar-2005 13:25 haxor2.jpg
 -rwxr-xr-x     0     0     23040  9-Mar-2005 13:25 holly.xls
 -rwxr-xr-x     0     0   1399508  9-Mar-2005 13:25 lin_1.2.pdf
 -rwxr-xr-x     0     0    122434  9-Mar-2005 13:25 nlin_14.pdf
 -rwxr-xr-x     0     0     29885  9-Mar-2005 13:25 paul.jpg
 -rwxr-xr-x     0     0    444314  9-Mar-2005 13:25 pumpkin.jpg
 -rwxr-xr-x     0     0     99298  9-Mar-2005 13:25 shark.jpg
 -rwxr-xr-x     0     0      5498  9-Mar-2005 13:25 sm1.gif
 -rwxr-xr-x     0     0    550653  9-Mar-2005 13:25 surf.mov
 -rwxr-xr-x     0     0   1036994  9-Mar-2005 13:25 surf.wmv
 -rwxr-xr-x     0     0     11264  9-Mar-2005 13:25 _EST.PPT
 -rwxr-xr-x     0     0     78899  9-Mar-2005 13:25 wword60t.zip

Use Right arrow to change directory, c to copy,
    h to hide deleted files, q to quit
  • Results: All the files are perfectly recovered

Data carving using PhotoRec

Run photorec 11-carve-fat.dd, Partition type: None, Search, Other, select where to store the files

PhotoRec 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk 11-carve-fat.dd - 64 MB / 61 MiB (RO)
     Partition                  Start        End    Size in sectors
   P Unknown                  0   0  1     7 229 31     126913


14 files saved in /home2/kmaster//11-carve-fat/recup_dir directory.
Recovery completed.

[ Quit ]

Results

  • All the files are recovered. The damaged jpg (haxor2.jpg) is ignored as expected
  • 13/14 files are perfectly recovered (Checkums match the original ones, note that with version older than 6.12, the score is 11/14)
  • When the file enterprise.wav is recovered, it is one byte shorter. PhotoRec is correct, there is an extra/junk byte at the end of the original file.

Basic Data Carving Test #2

This test image is an EXT2 file system and is intended to test data carving tools for indirect block detection and removal. With large files, EXT2 allocates blocks (called indirect blocks) to store file metadata and the blocks are frequently allocated in between blocks that contain file content. Therefore, the file becomes fragmented and a basic carving tool may include the indirect block in the carved file. This file system image contains several allocated and deleted files, none of which have been modified. The super block has been corrupted so that the image cannot be mounted and therefore data carving methods must be used to extract the files.

Several possibilities exist using TestDisk & PhotoRec.

Superblock recovery using TestDisk

TestDisk can find the backup superblock location. Run testdisk 12-carve-ext2.dd, Partition type: None, Advanced, change the type to ext2, Superblock

TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk 12-carve-ext2.dd - 129 MB / 123 MiB - CHS 16 255 63 (RO)

     Partition                  Start        End    Size in sectors

  ext2                     0   0  1    15 185 18     252648
superblock 8193, blocksize=1024 []
superblock 24577, blocksize=1024 []
superblock 40961, blocksize=1024 []
superblock 57345, blocksize=1024 []
superblock 73729, blocksize=1024 []

To repair the filesystem using alternate superblock, run
fsck.ext2 -p -b superblock -B blocksize device

>[  Quit  ]
                            Return to Advanced menu

Using the advice from TestDisk, it's possible to repair the filesystem

$ fsck.ext2 -p -b 8193 -B 1024 12-carve-ext2.dd 
12-carve-ext2.dd was not cleanly unmounted, check forced.
12-carve-ext2.dd: 19/31616 files (0.0% non-contiguous), 6521/126324 blocks

This way, all non-deleted files are available. After recovering the two deleted files using PhotoRec, all the files are recovered. This solution is the cleanest.

Copy files from the damaged ext2 filesystem using TestDisk

Run testdisk 12-carve-ext2.dd, Partition type: None, Analyse, Quick Search, Deeper Search. The ext2 filesystem is found. Press p to list the files. For each file, press c to copy it.

TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
   P ext2                     0   0  1    15 185 18     252648
Directory /

>drwxr-xr-x     0     0      1024 10-Mar-2005 19:04 .
 drwxr-xr-x     0     0      1024 10-Mar-2005 19:04 ..
 drwx------     0     0     12288 10-Mar-2005 17:41 lost+found
 -rw-r--r--     0     0     18663 10-Mar-2005 19:01 blogo.gif
 -rw-r--r--     0     0     28949 10-Mar-2005 19:01 jn.jpg
 -rw-r--r--     0     0     26618 10-Mar-2005 19:01 lin_test.pdf
 -rw-r--r--     0     0      8463 10-Mar-2005 19:01 main_dive.jpg
 -rw-r--r--     0     0    734652 10-Mar-2005 19:01 n_lin_ss.pdf
 -rw-r--r--     0     0    133249 10-Mar-2005 19:01 sherry.jpg
 -rw-r--r--     0     0     15360 10-Mar-2005 19:01 stats.xls
 -rw-r--r--     0     0     17408 10-Mar-2005 19:01 test.ppt

Use Right arrow to change directory, c to copy,
    h to hide deleted files, q to quit

Unfortunately, the deleted files don't show up.

File carving using PhotoRec

PhotoRec is a signature-based file carver. Run photorec 12-carve-ext2.dd, Partition type: None, Search, filesystem type: ext2/ext3.

PhotoRec 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk 12-carve-ext2.dd - 129 MB / 123 MiB (RO)
     Partition                  Start        End    Size in sectors
   P Unknown                  0   0  1    15 185 20     252650


10 files saved in /home/kmaster/recup_dir directory.
Recovery completed.

[ Quit ]

All the files, deleted and non-deleted, are recovered.

DFRWS

DFRWS 2006 Forensics Challenge - Data carving

After downloading the challenge archive, it's possible to run PhotoRec

  • in a fully automated way
photorec /debug /log /d recup_dir /cmd dfrws-2006-challenge.raw options,paranoid_bf,keep_corrupted_file,search
  • or in the interactive fashion
    • photorec /debug /log dfrws-2006-challenge.raw
    • in the options menu, enable the brute-force search mode and tell PhotoRec to keep corrupted files

Results:

  • Fragment of HTML and ascii files are recovered
  • Microsoft Office documents: All files are recovered perfectly except one. The file 2c.xls is recovered as the broken file b0002051.doc.
  • JPEG files: 3h1.jpg and 3h2.jpg aren't recovered successfully, we got two broken files instead b0031475.jpg and b0031533.jpg
  • ZIP recovery: All files are recovered except the file 4c.zip, the ZIP file fragmented with random data in between. PhotoRec detects that the recovered zip is broken and recover it as b0045015.zip.

DFRWS 2008 Rodeo - Data carving or FAT unformat ?

Download the image file. We will analyze the thumbdrive image

  • Run testdisk dfrws2008-rodeo-thumbdrive.img
  • Partition type: Intel
  • Advanced
  • Undelete
TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
 1 P FAT32 LBA                0   0  2    15 186 19     252711
Directory /

No file found, filesystem seems damaged.

Use Right arrow to change directory, c to copy,
    h to hide deleted files, q to quit

No file is listed!

PhotoRec can recover most files using its signature-base recovery strategie

  • Run testdisk dfrws2008-rodeo-thumbdrive.img
  • Partition type: Intel
  • Search
  • Select Other as the filesystem was FAT
  • [ Free ]
  • Various files are recovered. For some, PhotoRec has been able to extract the filename from the files themself:
f0002635.exe  f0006563.exe  f0011519_wget.exe      f0012155_libeay32.dll   f0015983_libintl3.dll
f0006239.zip  f0011349.zip  f0011763_ssleay32.dll  f0014227_libiconv2.dll  f0016187_upx.exe

Let's now try the unformat function from PhotoRec.

  • Run testdisk dfrws2008-rodeo-thumbdrive.img
  • Partition type: Intel
  • Enable the expert mode in Options
  • Search
  • Select Other as the filesystem was FAT
  • [ Free ]
  • Choose to try to unformat the filesystem, note that it doesn't modify the source disk
  • Use the default values
  • Don't create an image with the blocks where no data has been identified
  • Examine the recovered files

Using the information found during the "unformat" phase, PhotoRec has been able to identify more files:

f0016979-._501              f0017207-0.indexPositions         f0017375-live.0.indexTermIds
f0017019-0.indexIds         f0017231-0.indexDirectory         f0017391-live.0.indexPositions
f0017083-0.indexGroups      f0017255-0.indexCompactDirectory  f0017399-live.0.indexPositionTable
f0017183-0.indexPostings    f0017295-live.0.indexIds          f0017415-live.0.indexDirectory
f0017187-0.indexHead        f0017359-live.0.indexGroups       f0017571-live.0.indexHead
f0017195-0.shadowIndexHead  f0017367-live.0.indexPostings     f0017939-0.indexArrays

ForensicKB

Simple Forensic Puzzle #1

In this puzzle, the type of the partition don't match the filesystem type.

  • Run testdisk www.lancemueller.com/blog/evidence/Forensic Puzzle.E01
  • Partition table type: Intel
  • Analyse
TestDisk 6.13-WIP, Data Recovery Utility, May 2011
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Image www.lancemueller.com/blog/evidence/Forensic Puzzle.E01 - 1573 MB / 1501 MiB - CHS 3074048 1 1
Current partition structure:
     Partition                  Start        End    Size in sectors

check_FAT: Unusual number of reserved sectors 4 (FAT), should be 1.
Warning: Incorrect number of heads/cylinder 255 (FAT) != 1 (HD)
Warning: Incorrect number of sectors per track 63 (FAT) != 1 (HD)
 1 P FAT32 LBA                   2048    1026047    1024000 [NO NAME]

Warning: Bad starting sector (CHS and LBA don't match)
Invalid NTFS or EXFAT boot
 2 P HPFS - NTFS              1026048    2050047    1024000
 2 P HPFS - NTFS              1026048    2050047    1024000

Warning: Bad starting sector (CHS and LBA don't match)
Invalid FAT boot sector
 3 P FAT16 >32M               2050048    3074047    1024000
 3 P FAT16 >32M               2050048    3074047    1024000

Warning: Bad starting sector (CHS and LBA don't match)
No partition is bootable


*=Primary bootable  P=Primary  L=Logical  E=Extended  D=Deleted
>[Quick Search]  [ Backup ]
                            Try to locate partition

The partition type are currently FAT32 LBA, NTFS, FAT16 > 32M.

  • Quick Search
TestDisk 6.13-WIP, Data Recovery Utility, May 2011
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Image www.lancemueller.com/blog/evidence/Forensic Puzzle.E01 - 1573 MB / 1501 MiB - CHS 3074048 1 1
     Partition               Start        End    Size in sectors
>* FAT16 LBA                   2048    1026047    1024000 [NO NAME]
 P FAT32 LBA                1026048    2050047    1024000 [NEW VOLUME]
 P HPFS - NTFS              2050048    3074047    1024000 [New Volume]

The partition type should be FAT16 LBA, FAT32 LBA and NTFS.

NTFS Alternate Data Stream

Not only for files, Alternate Data Stream can be also created for directories. Here is an example

TestDisk 6.13-WIP, Data Recovery Utility, May 2011
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
   P NTFS                           0    2059766    2059767
Directory /

>dr-xr-xr-x     0     0         0 25-Mar-2011 01:06 .
 -r--r--r--     0     0    780831 25-Mar-2011 01:06 .:$Secure.$SDI
 -r--r--r--     0     0    845941 25-Mar-2011 01:06 .:$TXF_DATA
 dr-xr-xr-x     0     0         0 25-Mar-2011 01:06 ..
 -r--r--r--     0     0    780831 25-Mar-2011 01:06 ..:$Secure.$SDI
 -r--r--r--     0     0    845941 25-Mar-2011 01:06 ..:$TXF_DATA




Use Right to change directory
    q to quit, : to select the current file, a to select all files
    C to copy the selected files, c to copy the current file

Those two ADS are valid jpeg files.

LinuxLeo

Several small disk image can be found on The Law Enforcement and Forensic Examiner's Introduction to Linux website.

Undelete file from a FAT12 filesystem

  • Download the Floppy Practice Image
  • Run testdisk practical.floppy.dd
  • Partition type: None
  • Advanced
  • Undelete
  • Navigate in /Docs/Private
  • Delete files are displayed in red, select ReyHalif.doc and press c to copy the file
TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
   P FAT12                    0   0  1    79   1 18       2880 [NO NAME]
Directory /Docs/Private

>drwxr-xr-x     0     0         0 23-Sep-2000 16:21 .
 drwxr-xr-x     0     0         0 23-Sep-2000 16:21 ..
 -rwxr-xr-x     0     0       725 23-Sep-2000 16:10 ReyHalif.doc


Use Left arrow to go back, Right arrow to change directory, c to copy,
    h to hide deleted files, q to quit

File carving using PhotoRec from a FAT12

  • Download the Floppy Practice Image
  • Run photorec practical.floppy.dd
  • Partition type: None
  • Select the FAT12 and choose Search
  • If using PhotoRec 6.12 or later, you can choose to carve the free space only.
  • Select where to store the recovered files
  • One file is recovered, its content matches ReyHalif.doc.

Recover deleted files from an ext2 filesystem

  • Download the "Able2" Ext2 Disk Image
  • Run testdisk able2.dd
  • Partition type: Intel
  • Advanced
  • Select the second Linux partition
  • Undelete
  • Navigate in /root
TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
 2 P Linux                    0 162 55     7   6 27     102600
Directory /root

>drwxr-x---     0     0      1024 10-Aug-2003 06:10 .
 drwxr-xr-x     0     0      1024 10-Aug-2003 06:15 ..
 -rw-r--r--     0     0      1126 23-Aug-1995 21:02 .Xdefaults
 -rw-r--r--     0     0        24 14-Jul-1994 03:57 .bash_logout
 -rw-r--r--     0     0       238 23-Aug-1995 21:03 .bash_profile
 -rw-r--r--     0     0       176 23-Aug-1995 21:04 .bashrc
 -rw-r--r--     0     0       182 22-Mar-1999 05:00 .cshrc
 -rw-r--r--     0     0       166  4-Mar-1996 16:07 .tcshrc
 -rw-------     0     0      2500 10-Aug-2003 06:34 .bash_history
 -rw-r--r--     0     0   1339047 10-Aug-2003 06:08 lolit_pics.tar.gz
 -rw-r--r--     0     0   3639016 10-Aug-2003 06:08 lrkn.tgz

Use Left arrow to go back, Right arrow to change directory, c to copy,
    h to hide deleted files, q to quit
  • The deleted files (the last two files) can be copied on the local disk

Recover lost data from the free space of an ext2 filesystem

  • Download the "Able2" Ext2 Disk Image
  • Run photorec able2.dd
  • Partition type: Intel
  • Advanced
  • Select the fourth Linux partition
  • Search
  • Filesystem type is ext2/ext3
  • Select [ Free ] to scan for file from ext2/ext3 unallocated space only
PhotoRec 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk able2.dd - 345 MB / 329 MiB (RO)
     Partition                  Start        End    Size in sectors
 4 P Linux                   11  31 28    42  11 27     496755


27 files saved in /home/kmaster/recup_dir directory.
Recovery completed.


[ Quit ]
  • Examine the recup_dir.1 directory: 27 mp3 files are awaiting you.

Recover deleted files from an NTFS partition

  • Download the NTFS Image
  • Run testdisk ntfs_pract.dd
  • Partition type: Intel
  • Advanced
  • Undelete
TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
 1 P HPFS - NTFS              0   0 60    63 174  3    1023001 [NEW VOLUME]
Deleted files

>/Cookies/buckyball@revsci[2].txt                                          14-Oct-2006 16:31     253
 /Cookies/buckyball@search.msn[1].txt                                      14-Oct-2006 16:42     322
 /Cookies/buckyball@slashdot[1].txt                                        14-Oct-2006 16:32     335
 /Cookies/buckyball@sony.aol[2].txt                                        25-Nov-2006 00:41      78
 /My Documents/My Pictures/bandit-streetortrack2005056.jpg                 14-Oct-2006 16:37  112063
 /My Documents/My Pictures/fighterama2005-ban4.jpg                         10-Nov-2006 00:30  187738
 /My Documents/direct_attacks.doc                                          26-Oct-2006 00:14   35328

Use : to select the current file, a to select/deselect all files,
    C to copy the selected files, c to copy the current file, q to quit

Recover lost data from the free space of a NTFS partition

  • Download the NTFS Image
  • Run photorec ntfs_pract.dd
  • Partition type: Intel
  • Search
  • Select [ Other ] as the filesystem is NTFS
  • Select [ Free ] to carve data from the free space only
  • Select where to store the recovered files
PhotoRec 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk ntfs_pract.dd - 524 MB / 500 MiB (RO)
     Partition                  Start        End    Size in sectors
 1 P HPFS - NTFS              0   0 60    63 174  3    1023001 [NEW VOLUME]


3 files saved in /home/kmaster/recup_dir directory.
Recovery completed.


[ Quit ]

The word document (.doc) and the two JPEG pictures have been recovered.

Discover NTFS Alternate Data Stream (ADS)

  • Download the NTFS Image
  • Run testdisk ntfs_pract.dd
  • Partition type: Intel
  • Advanced
  • List
TestDisk 6.13-WIP, Data Recovery Utility, May 2011
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
 1 P HPFS - NTFS              0   0 60    63 174  3    1023001 [NEW VOLUME]
Directory /

>dr-xr-xr-x     0     0         0  7-Apr-2007 06:59 .
 dr-xr-xr-x     0     0         0  7-Apr-2007 06:59 ..
 dr-xr-xr-x     0     0         0  8-Apr-2007 02:00 Cookies
 dr-xr-xr-x     0     0         0  7-Apr-2007 00:53 Desktop
 dr-xr-xr-x     0     0         0  4-Apr-2007 20:41 Favorites
 dr-xr-xr-x     0     0         0  8-Apr-2007 01:59 My Documents
 -r--r--r--     0     0   1572864  7-Apr-2007 06:59 NTUSER.DAT
 -r--r--r--     0     0   3823004  7-Apr-2007 06:29 SVstunts.avi
 -r--r--r--     0     0      7212  7-Apr-2007 06:29 SVstunts.avi:hacktrap.txt

Use Right to change directory
    q to quit, : to select the current file, a to select all files
    C to copy the selected files, c to copy the current file

The hidden document SVstunts.avi:hacktrap.txt can be copied.

Honeynet - Scan of the month

scan15: recover of delete files from an ext2 filesystem

TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
   P ext2                     0   0  1    32 253 63     530082
Directory /

>drwxr-xr-x     0     0      1024 16-Mar-2001 02:45 .
 drwxr-xr-x     0     0      1024 16-Mar-2001 02:45 ..
 drwxr-xr-x     0     0     12288 15-Mar-2001 12:09 lost+found
 drwxr-xr-x     0     0      1024 15-Mar-2001 12:09 boot
 drwxr-xr-x     0     0      1024 15-Mar-2001 12:09 home
 drwxr-xr-x     0     0      1024 15-Mar-2001 12:10 usr
 drwxr-xr-x     0     0      1024 15-Mar-2001 12:10 var
 drwxr-xr-x     0     0      1024 15-Mar-2001 12:10 proc
 drwxrwxrwt     0     0      1024 16-Mar-2001 15:48 tmp
 drwxr-xr-x     0     0     34816 16-Mar-2001 02:45 dev
 drwxr-xr-x     0     0      3072 16-Mar-2001 02:45 etc
 drwxr-xr-x     0     0      2048 16-Mar-2001 02:45 bin
 drwxr-xr-x     0     0      3072 15-Mar-2001 12:18 lib
 drwxr-xr-x     0     0      1024 15-Mar-2001 12:10 mnt
 drwxr-xr-x     0     0      1024 23-Aug-1999 18:03 opt
 drwxr-x---     0     0      1024 15-Mar-2001 18:23 root
 drwxr-xr-x     0     0      3072 16-Mar-2001 02:45 sbin
 drwxr-xr-x     0     0      1024 15-Mar-2001 18:23 floppy
 -rw-r--r--     0     0    520333 16-Mar-2001 02:36 lk.tgz
 drwxr-xr-x  1031   100         0 16-Mar-2001 02:45 last


Use Right arrow to change directory, c to copy,
    h to hide deleted files, q to quit

The last two lines list a deleted file and a delete directory containing several delete files.

  • Select the file, press c to get a copy
  • Other deleted files can be found in /tmp, /etc, /etc/X11/fs, /etc/rc.d/rc[0-6].d, /etc/pam.d

To get a listing of all the files, run testdisk /log /cmd honeynet/honeypot.hda8.dd advanced,list,recursive and check the testdisk.log file. Lines listing deleted files are beginning by an X.

scan24: recovery from a damaged FAT12

TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
   P FAT12                    0   0  1    79   1 18       2880 [NO NAME]
Directory /

>-rwxr-xr-x     0     0     15585 11-Sep-2002 09:30 cover page.jpgc           
 -rwxr-xr-x     0     0      1000 24-May-2002 09:20 SCHEDU~1.EXE
 -rwxr-xr-x     0     0      4096 14-Oct-2002 15:18 _OVERP~1.SWP


Use Right arrow to change directory, c to copy,
    h to hide deleted files, q to quit
  • Copy the files
  • We can now examine the files and discover that the exe file is a zip archive and that all files are corrupted. Let's try another method.
  • Run photorec scan24.dd
  • Partition type: None
  • Search
  • Select Other as the filesystem was FAT
  • [ Whole ] to recover all the files and ignore the File Allocation Table (FAT)
PhotoRec 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org

Disk scan24.dd - 1474 KB / 1440 KiB (RO)
     Partition                  Start        End    Size in sectors
   P FAT12                    0   0  1    79   1 18	  2880 [NO NAME]


3 files saved in /home/kmaster/recup_dir directory.
Recovery completed.



[ Quit ]
  • Check the recovered files
$ ls -l
total 36
-rw-rw-r--. 1 kmaster kmaster 20480 Apr 15  2002 f0000033_Jimmy_Jungle.doc
-rw-rw-r--. 1 kmaster kmaster  8754 Nov  9 20:44 f0000073.jpg
-rw-rw-r--. 1 kmaster kmaster  2420 Nov  9 20:44 f0000104.zip

The files are perfectly recovered. The challenge isn't finished but PhotoRec helps a lot ;-)

Others

Challenge DC3 2012 DC3 Digital Forensics Challenge