|
How to manually recover a file using dd
I am currently taking a forensics class and my assignment is to recover files manually using dd. The book,guide to computer forensics, is unclear on this subject. I downloaded a file, created a directory and copied the file into it. when I open it using xxd sweeney.case01.dd I can see the all the files but I am not sure exactly how to recover them. I know I have to use byte swapping and convert from hex to decimal to get the skip and the count, just not sure which ones to swap to get the count and skip.
I tried dd if=/dev/zero of=sweeney.case01.dd bs=1024 count=1440 sudo mkfs.msdos sweeney.case01.dd sweeney.case01.dd: DOS floppy 1440k, x86 hard disk boot sector dd if=sweeney.case01.dd of=recovered.txt bs=1 count=10 skip=17408 file recovered.txt recovered.txt: DOS executable (COM) Vi recovered.txt <<90>mkdosfs I know this is not an exact recover and I am not sure how to recover mkdosfs without the <<90> which I dont think is part of the file. Here is what I am working with : 0002600: e566 0069 006c 0065 0031 000f 005a 2e00 .f.i.l.e.1...Z.. 0002610: 6a00 7000 6700 0000 ffff 0000 ffff ffff j.p.g........... 0002620: e549 4c45 3120 2020 4a50 4720 0000 a545 .ILE1 JPG ...E 0002630: b940 b940 0000 a545 b940 0300 34c2 0100 .@.@...E.@..4... 0002640: 4166 0069 006c 0065 0033 000f 00d5 2e00 Af.i.l.e.3...... 0002650: 7400 7800 7400 0000 ffff 0000 ffff ffff t.x.t........... 0002660: 4649 4c45 3320 2020 5458 5420 0000 a545 FILE3 TXT ...E 0002670: b940 cc40 0000 a545 b940 e500 069c 0200 .@.@...E.@...... 0002680: 4166 0069 006c 0065 0034 000f 0056 2e00 Af.i.l.e.4...V.. 0002690: 6a00 7000 6700 0000 ffff 0000 ffff ffff j.p.g........... 00026a0: 4649 4c45 3420 2020 4a50 4720 0000 a545 FILE4 JPG ...E 00026b0: b940 cc40 0000 a545 b940 3402 bb94 0200 .@.@...E.@4..... 00026c0: 4166 0069 006c 0065 002e 000f 0080 6400 Af.i.l.e......d. 00026d0: 6f00 6300 0000 ffff ffff 0000 ffff ffff o.c............. 00026e0: 4649 4c45 2020 2020 444f 4320 0000 b645 FILE DOC ...E 00026f0: b940 b940 0000 b645 b940 7f03 6200 0400 .@.@...E.@..b... 0002700: 4231 002e 0064 0064 0000 000f 0080 ffff B1...d.d........ 0002710: ffff ffff ffff ffff ffff 0000 ffff ffff ............... 00043d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00043e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 00043f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................ 0004400: eb3c 906d 6b64 6f73 6673 0000 0201 0100 .<.mkdosfs...... 0004410: 02e0 0040 0bf0 0900 1200 0200 0000 0000 ...@............ 0004420: 0000 0000 0000 2935 506d cb20 2020 2020 ......)5Pm. 0004430: 2020 2020 2020 4641 5431 3220 2020 0e1f FAT12 .. |
Quote:
on a 3.5 in floppy ??? those have not even been manufactured for the last few years i take it you have a few OLD boxes and a OLD 10+ year old computer for them Almost non of the current linux distros even LOOK for a floppy drive. the " mkdosfs" ??? are you using the 10 year old RH8 |
We arent really using floppys we made a floppy file system
sudo mkfs.msdos sweeney.case01.dd sudo mount -t auto -o loop sweeneycase01.dd |
it seems like the dd backup is actually a disk drive (boot sector, partition table, and partitions) rather than a disk partition.
from what i can tell recovered.txt is supposed to be 10 bytes from the dd backup (skipping the first 17408 bytes) ? not sure why you are overwriting sweeney.case01.dd with 1474560 zeroes then reformating a new msdos filesystem on it ? |
The dd backup is actually a disk drive (boot sector, partition table, and partitions) rather than a disk partition. Yes I am trying to recover the deleted files manually using DD thats my assignment. there are two with e5 in the header so those are the ones I am trying to recover. When I use the command:
dd if=sweeney.case01.dd of=recovered.txt bs=1 count=10 skip=17408 I am recovering <<90>mkdosfs I think it is supposed to be mkdosfs I`m pretty sure the skip is right but not sure about how to get the right count. I havent even tried to recover the jpg yet. |
Quote:
now if this was a real floppy that would "blank" it with overwriting it with all zeros Quote:
that is a 12 bit-fat format ( think windows 3.1 & 95 ) Quote:
Quote:
" <<90>mkdosfs" that looks about right for that small of a file Quote:
recovering the data from a microsoft boot disk form 1990's is from before my time Quote:
how did you put a jpg photo in there the file sweeney.case01.dd has ONLY zeros in it for recovering a photo i would use " photorec" |
Thanks for the feedback. I new so I am probably not explaining it correctly. I will do some more research and try to be more specific.
|
You would actually be able to access the image contents using 'photorec (or testdisk) /log /debug /path/to/sweeney.case01.dd' or 'losetup /dev/loop1 /path/to/sweeney.case01.dd && foremost -d -i /dev/loop1 -v -o /path/to/outputdir/' (use kpartx and then check /dev/mapper/ if more than one partition is available) or use the Helix 2008R1(2.0) ISO (MD5 hash 93a285bfa8ab93d664d508e5b12446d3) burned as CDROM and the image on removable media like an USB stick if you don't have virtualization to play with, don't want to commit a disk and still want access to TCT, Autopsy and such.
|
I took a computer forensics class at University of Cincinnati, and it sounds like you are doing the exact same exercises that I did in that class.
|
| All times are GMT -5. The time now is 08:39 PM. |