Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                

Use Photorec To Carve For Files With Linux Ubuntu 12.04

Download as docx, pdf, or txt
Download as docx, pdf, or txt
You are on page 1of 16

Use PhotoRec to Carve for Files With Linux Ubuntu 12.

04
Carlos Cajigas MSc, EnCE, CFCE

While examining the contents of an external hard drive in a recent case, I came across the need to recover videos from the unallocated area of the drive. Interestingly enough, the videos in question were in the form of ISO images. When my preferred commercial carving tool didnt offer an option to carve for ISOs, PhotoRec did. PhotoRec in an open source tool that you can use for free. It was originally designed to recover photos, hence the name, but can now carve for over 250 different kinds of files. Carving is the process of looking for file headers and file footers, and then "carving out" the data blocks between those two boundaries. You can use PhotoRec to carve for files even if your media has been reformatted. PhotoRec is a companion to our previously discussed program, called Testdisk. PhotoRec comes preinstalled in Linux Live DVD's like Blackbuntu. For the purposes of this article, I used an examination computer with Ubuntu 12.04 installed on it.

The goal:
The plan is to recreate the steps that will lead to us being able to carve a file from the unallocated area of our drive. We are going to add a file to a volume and then delete it, to simulate the file being in unallocated space. Finally we will use PhotoRec to carve for our file.

Installing the tools:


All of the tools that we will use are either included in Ubuntu by default, or can be downloaded from the Ubuntu Software Center. The tools that we will need to recreate the test are shred, DD, Gparted, and PhotoRec. Shred and DD are already in Ubuntu, so lets head over to the Ubuntu Software Center for the other tools.

Click on the Dash Home circle, located on the top left of your screen, type in software and click on the Ubuntu Software Center icon that will appear.

After the Ubuntu Software Center opens, you will see a search box on the topright corner of your screen. Type testdisk and click on the install button. PhotoRec comes bundled with it. You will be prompted for your root password. Enter your root password and wait for the program to install.

Once Testdisk (PhotoRec) is installed, search for Gparted. Install Gparted as well. Now that you have the tools that we need, close the Ubuntu Software Center. The next step is to prepare a working folder for our files. Go to your desktop, right click on your desktop and select create new folder, name it Test. Copy one single jpg picture into it. I chose to work with a jpg picture because it would be easier to locate a random jpg than an iso for this test. The steps required for recovering a jpg and/or an iso using PhotoRec are exactly the same.

The test:
For the test I will be using a 256MB Flash Drive. When testing software, smaller drives take less time to wipe. Since we are going to be adding data to our test media and then examining it, we should sterilize it. Sterilizing a drive is the process of writing a known hex value to every sector of a piece of media so that it can overwrite any and all data that previously resided on that piece of media. For the purposes of this article, we will be using the program Shred. Shred is only run from the command line. Make sure your test media is inserted into the computer and open a Terminal Window. In Ubuntu you can accomplish this by pressing Ctrl-Alt-T at the same time or by going to the Dash Home and typing in terminal.

Once the terminal window is open, Type the following into the terminal to determine which letter Ubuntu assigned to the test media. sudo fdisk -l Fdisk is a partition table manipulator for Linux. The flag -l tells fdisk to list the partition table. Sudo gives fdisk superuser privileges for the operations. Press enter and type your root password (if needed).

Ubuntu assigned the media as SDB. SDB1 is the partition currently stored on the media. Do not pay much attention to it, we will be wiping shortly. Now that we know the media's drive assignment, type the following into the terminal to wipe/sterilize it. sudo shred -v -n 0 -z /dev/sdb Shred is the wiping program. The flag -v shows the progress, the flag -n overwrites with random data n amount of times instead of the default 3. I wrote a 0, because I didn't want to overwrite the drive with random data. The -z flag adds a final overwrite with zeros to hide shredding. For the purposes of this test one overwrite with zeros is all that we need. Dev/sdb is the test media. Sudo gives Shred superuser privileges for the operations. Press enter and type your root password (if needed).

Our media has been successfully sterilized by writing zeros to the entire drive, from the first sector to the last. Now we need to format the media. Remove the media from the computer and insert it back into the computer. Type the following into the terminal window. sudo gparted Gparted is a Gnome partition editor for manipulating disk partitions. A GUI for Gparted will open up. Make sure that you select your test media, it should be the /dev/sdb device. Format the media as NTFS.

Now that the drive is formatted, copy the jpg file from the Test folder into the media.

This is my TestPicture.jpg

After the jpg has been copied to your media, delete it.

The test media is now ready. Now, navigate to the previously created Test folder on the desktop. We will use the CD command to change directory into the desktop. Type the following into the terminal. cd /home/carlos/Desktop/Test/ Replace carlos with the name of the user account you are currently logged on as. After doing so, press enter. You should receive these results.

Type the following into the terminal. sudo dd if=/dev/sdb of=testimage.dd DD is a common Linux program whose primary purpose is the low level copying and conversion of raw data. The if= tells dd to read from file, and the of= tells dd to write to file. Sudo gives DD superuser privileges for the operations. Press enter and type your root password (if needed). This action will copy all the sectors on the media into a file named testimage.dd into our current directory, which is the Test folder.

Now that we have an image of the test media. You can remove the media from the computer. Type the following into the terminal. sudo photorec testimage.dd We finally get to PhotoRec. PhotoRec is a file carving tool for Windows, Mac and Linux. It is a terminal based tool that can be manipulated with the use of the up, down, left and right arrows and enter to proceed. Press Q at any time to go back or exit the program. PhotoRec recognizes physical hard drives in the computer and well as USB storage devices. Or like in this case, you can point PhotoRec to your image file and it will recognize it as well. Click enter to proceed.

Using the right arrow, highlight the [File Opt] at the bottom of the screen and press enter.

In this screen you will be able to select the file(s) that you want to carve for. You can select as many as you want. Look at the list, it is extensive. Use the down arrow to find the jpg JPG picture option. Highlight the option and press the spacebar to place an x in the bracket, which will select the option for carving.

Once this is done, press b to save the settings. You will get a confirmation that the settings were recorded successfully.

Press enter twice and you will be brought back to the main screen. Using your up and down arrows, tell PhotoRec to carve for files on the [Whole disk]. Once this done, use the left arrow to select the [ Search ] option and press enter.

Tell PhotoRec the file system type where the file is currently stored.

And finally tell PhotoRec where to save the carved files. I told it to save the files to my Test folder on the Desktop. When the destination is correct, start the carving process by pressing C.

PhotoRec carved one file from our image, and saved it in the Test folder under a directory called recup_dir.

Now open Nautilus and navigate to recup_dir inside of the Test folder on the Desktop to see what PhotoRec carved. Nautilus is the file manager for the GNOME desktop environment. You can launch Nautilus by left clicking on the folder looking icon in your task bar.

PhotoRec successfully carved our jpg file. The file name assigned to the file starts with an f followed by a number. That number is the first physical sector where the file resides on the media.

Conclusion:
PhotoRec was able to carve the file that was written to and deleted from our test media. This is a powerful and free tool that can carve for many files and be a good supplement to your other carving tools. If this procedure worked for your case, and you are able to use it in the course of your investigation, we would like to hear from you. Please post your comments or email the author of this article at carlos@epyxforensics.com.

You might also like