LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-16-2012, 02:40 PM   #1
liamtsw
LQ Newbie
 
Registered: May 2012
Posts: 11

Rep: Reputation: Disabled
How to manually recover a file using dd


I am currently taking a forensics class and my assignment is to recover files manually using dd. The book,guide to computer forensics, is unclear on this subject. I downloaded a file, created a directory and copied the file into it. when I open it using xxd sweeney.case01.dd I can see the all the files but I am not sure exactly how to recover them. I know I have to use byte swapping and convert from hex to decimal to get the skip and the count, just not sure which ones to swap to get the count and skip.

I tried

dd if=/dev/zero of=sweeney.case01.dd bs=1024 count=1440

sudo mkfs.msdos sweeney.case01.dd

sweeney.case01.dd: DOS floppy 1440k, x86 hard disk boot sector

dd if=sweeney.case01.dd of=recovered.txt bs=1 count=10 skip=17408

file recovered.txt
recovered.txt: DOS executable (COM)

Vi recovered.txt

<<90>mkdosfs

I know this is not an exact recover and I am not sure how to recover mkdosfs without the <<90> which I dont think is part of the file.

Here is what I am working with :

0002600: e566 0069 006c 0065 0031 000f 005a 2e00 .f.i.l.e.1...Z..

0002610: 6a00 7000 6700 0000 ffff 0000 ffff ffff j.p.g...........
0002620: e549 4c45 3120 2020 4a50 4720 0000 a545 .ILE1 JPG ...E
0002630: b940 b940 0000 a545 b940 0300 34c2 0100 .@.@...E.@..4...
0002640: 4166 0069 006c 0065 0033 000f 00d5 2e00 Af.i.l.e.3......
0002650: 7400 7800 7400 0000 ffff 0000 ffff ffff t.x.t...........
0002660: 4649 4c45 3320 2020 5458 5420 0000 a545 FILE3 TXT ...E
0002670: b940 cc40 0000 a545 b940 e500 069c 0200 .@.@...E.@......
0002680: 4166 0069 006c 0065 0034 000f 0056 2e00 Af.i.l.e.4...V..
0002690: 6a00 7000 6700 0000 ffff 0000 ffff ffff j.p.g...........
00026a0: 4649 4c45 3420 2020 4a50 4720 0000 a545 FILE4 JPG ...E
00026b0: b940 cc40 0000 a545 b940 3402 bb94 0200 .@.@...E.@4.....
00026c0: 4166 0069 006c 0065 002e 000f 0080 6400 Af.i.l.e......d.
00026d0: 6f00 6300 0000 ffff ffff 0000 ffff ffff o.c.............
00026e0: 4649 4c45 2020 2020 444f 4320 0000 b645 FILE DOC ...E
00026f0: b940 b940 0000 b645 b940 7f03 6200 0400 .@.@...E.@..b...
0002700: 4231 002e 0064 0064 0000 000f 0080 ffff B1...d.d........
0002710: ffff ffff ffff ffff ffff 0000 ffff ffff ...............


00043d0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00043e0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
00043f0: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0004400: eb3c 906d 6b64 6f73 6673 0000 0201 0100 .<.mkdosfs......
0004410: 02e0 0040 0bf0 0900 1200 0200 0000 0000 ...@............
0004420: 0000 0000 0000 2935 506d cb20 2020 2020 ......)5Pm.
0004430: 2020 2020 2020 4641 5431 3220 2020 0e1f FAT12 ..
 
Old 06-16-2012, 02:52 PM   #2
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,643

Rep: Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653
Quote:
sweeney.case01.dd: DOS floppy 1440k, x86 hard disk boot sector

on a 3.5 in floppy ???
those have not even been manufactured for the last few years

i take it you have a few OLD boxes and a OLD 10+ year old computer for them

Almost non of the current linux distros even LOOK for a floppy drive.

the " mkdosfs" ???

are you using the 10 year old RH8
 
Old 06-16-2012, 03:06 PM   #3
liamtsw
LQ Newbie
 
Registered: May 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
We arent really using floppys we made a floppy file system

sudo mkfs.msdos sweeney.case01.dd
sudo mount -t auto -o loop sweeneycase01.dd
 
Old 06-16-2012, 04:13 PM   #4
schneidz
LQ Guru
 
Registered: May 2005
Location: boston, usa
Distribution: fedora-35
Posts: 5,326

Rep: Reputation: 919Reputation: 919Reputation: 919Reputation: 919Reputation: 919Reputation: 919Reputation: 919Reputation: 919
it seems like the dd backup is actually a disk drive (boot sector, partition table, and partitions) rather than a disk partition.

from what i can tell recovered.txt is supposed to be 10 bytes from the dd backup (skipping the first 17408 bytes) ?

not sure why you are overwriting sweeney.case01.dd with 1474560 zeroes then reformating a new msdos filesystem on it ?
 
Old 06-16-2012, 04:55 PM   #5
liamtsw
LQ Newbie
 
Registered: May 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
The dd backup is actually a disk drive (boot sector, partition table, and partitions) rather than a disk partition. Yes I am trying to recover the deleted files manually using DD thats my assignment. there are two with e5 in the header so those are the ones I am trying to recover. When I use the command:
dd if=sweeney.case01.dd of=recovered.txt bs=1 count=10 skip=17408

I am recovering <<90>mkdosfs I think it is supposed to be mkdosfs I`m pretty sure the skip is right but not sure about how to get the right count. I havent even tried to recover the jpg yet.
 
Old 06-16-2012, 05:14 PM   #6
John VV
LQ Muse
 
Registered: Aug 2005
Location: A2 area Mi.
Posts: 17,643

Rep: Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653Reputation: 2653
Quote:
dd if=/dev/zero of=sweeney.case01.dd bs=1024 count=1440
make a file called "sweeney.case01.dd" that IS ONLY 0's ( zeros)
now if this was a real floppy that would "blank" it with overwriting it with all zeros

Quote:
sudo mkfs.msdos sweeney.case01.dd
now make a second file of the same name ( then why do the first command, other that ensuring that the file IS there )

that is a 12 bit-fat format ( think windows 3.1 & 95 )

Quote:
dd if=sweeney.case01.dd of=recovered.txt bs=1 count=10 skip=17408
make a 10 b in size file OF "sweeney.case01.dd" and call it "recovered.txt" skipping the first "17408"

Quote:
Vi recovered.txt
use vi in the terminal to read the 10 b text file

" <<90>mkdosfs" that looks about right for that small of a file

Quote:
I am currently taking a forensics class and my assignment is
you might ask your teacher on this
recovering the data from a microsoft boot disk form 1990's is from before my time



Quote:
I havent even tried to recover the jpg yet.
???
how did you put a jpg photo in there
the file sweeney.case01.dd has ONLY zeros in it

for recovering a photo i would use " photorec"

Last edited by John VV; 06-16-2012 at 05:21 PM.
 
Old 06-16-2012, 06:39 PM   #7
liamtsw
LQ Newbie
 
Registered: May 2012
Posts: 11

Original Poster
Rep: Reputation: Disabled
Thanks for the feedback. I new so I am probably not explaining it correctly. I will do some more research and try to be more specific.
 
Old 06-16-2012, 06:56 PM   #8
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
You would actually be able to access the image contents using 'photorec (or testdisk) /log /debug /path/to/sweeney.case01.dd' or 'losetup /dev/loop1 /path/to/sweeney.case01.dd && foremost -d -i /dev/loop1 -v -o /path/to/outputdir/' (use kpartx and then check /dev/mapper/ if more than one partition is available) or use the Helix 2008R1(2.0) ISO (MD5 hash 93a285bfa8ab93d664d508e5b12446d3) burned as CDROM and the image on removable media like an USB stick if you don't have virtualization to play with, don't want to commit a disk and still want access to TCT, Autopsy and such.
 
Old 06-18-2012, 05:28 PM   #9
CincinnatiKid
Member
 
Registered: Jul 2010
Posts: 454

Rep: Reputation: 47
I took a computer forensics class at University of Cincinnati, and it sounds like you are doing the exact same exercises that I did in that class.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] How do you find and remove largest file without having to manually type the file name am28 Linux - Newbie 4 11-23-2011 04:45 PM
How to recover a deleted file using the ext3 file system wdhpr Linux - Newbie 6 01-11-2011 11:04 PM
If I know the sector position and file size, is this sufficient to recover a file? jsstevenson Linux - General 2 09-29-2008 11:35 AM
Need help to recover Deleted file - (file was saved in doc) Pravab Ubuntu 2 08-17-2008 11:57 AM
gave wrong syntax for tar as tar -cvzf file file.tgz how to recover the file gautham Linux - General 4 04-13-2005 04:15 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 04:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration