TestDisk and PhotoRec in various digital forensics testcase
(Redirected from TestDisk & PhotoRec against various digital forensics testcase)
Jump to navigation
Jump to search
Test your knowledge
Try the Data Recovery with PhotoRec quiz at https://moodle.cgsecurity.org
Digital Forensics Tool Testing Images
Digital Forensics Tool Testing Images (DFTT) can be downloaded at http://dftt.sourceforge.net
Extended DOS Partition Test
- Test: Most DOS partition tools will not allow the user to create a third entry in an extended partition. A test image was created by modifying the partition table by hand with a hex editor and the system was booted. Both Windows and Linux read the third entry in the extended partition table and allowed the user to mount the partition. This test was to verify that forensic tools also allowed the investigator to view the partition in the third entry.
- Result: Passed, TestDisk shows all six FAT16 partitions.
testdisk -lu 1-extend-part/ext-part-test-2.dd
TestDisk 7.1-WIP, Data Recovery Utility, August 2016
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
Please wait...
Disk /home/kmaster/data/data_for_testdisk/1-extend-part/ext-part-test-2.dd - 159 MB / 152 MiB - CHS 20 255 63 (RO)
Sector size:512
Disk /home/kmaster/data/data_for_testdisk/1-extend-part/ext-part-test-2.dd - 159 MB / 152 MiB - CHS 20 255 63 (RO)
Partition Start End Size in sectors
1 P FAT16 <32M 63 52415 52353 [NO NAME]
FAT16, blocksize=512
2 P FAT16 <32M 52416 104831 52416 [NO NAME]
FAT16, blocksize=512
3 P FAT16 <32M 104832 157247 52416 [NO NAME]
FAT16, blocksize=512
4 E extended 157248 312479 155232
5 L FAT16 <32M 157311 209663 52353 [NO NAME]
FAT16, blocksize=512
6 L FAT16 <32M 209727 262079 52353 [NO NAME]
FAT16, blocksize=512
X extended 262080 312479 50400
7 L FAT16 >32M 262143 312479 50337
FAT16, blocksize=2048
FAT Undelete Test #1
- Test: This test image is a 6MB FAT file system with six deleted files and two deleted directories. The files range from single cluster files to multiple fragments.
- Procedure
Run testdisk 6-fat-undel.dd, Partition type: None, Advanced, Undelete, for each file, select it and press c to copy it.
TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
P FAT16 0 0 1 5 30 62 12032 [NO NAME]
Directory /
>-rwxr-xr-x 0 0 1584 14-Feb-2004 12:51 _RAG1.DAT
-rwxr-xr-x 0 0 3873 14-Feb-2004 12:52 _RAG2.DAT
-rwxr-xr-x 0 0 780 14-Feb-2004 12:52 _ING.DAT
-rwxr-xr-x 0 0 3801 14-Feb-2004 21:20 _ULT1.DAT
drwxr-xr-x 0 0 1024 14-Feb-2004 12:53 _IR1
drwxr-xr-x 0 0 1024 14-Feb-2004 12:53 System Volume Information
Use Right arrow to change directory, c to copy,
h to hide deleted files, q to quit
- Results
1. Can you see the frag1.dat, frag2.dat, sing.dat, mult1.dat, and dir1 file and directory names in the root directory?
Yes but the first char is missing as expected
2. Can you see the dir2 and mult2.dat names in the dir1 directory?
Yes
3. Can you see the frag3.dat name in the dir1\dir2 directory?
Yes
4. Can you recover the sing.dat file? Does it have the correct MD5?
Yes
5. Can you recover the mult1.dat file? Does it have the correct MD5?
Yes
6. Can you recover the dir1\mult2.dat file? Does it have the correct MD5?
Yes
7. Can you recover the frag1.dat file? Does it have the correct MD5?
Incorrect MD5
8. Can you recover the frag2.dat file? Does it have the correct MD5?
Incorrect MD5
9. Can you recover the dir1\dir2\frag3.dat file? Does it have the correct MD5?
Incorrect MD5
TestDisk has found all the deleted files but fragmented files aren't recovered correctly.
NTFS Undelete (and leap year) Test #1
- Test: This test image is a 6MB NTFS file system with eight deleted files, two deleted directories, and a deleted alternate data stream. The files range from resident files, single cluster files, and multiple fragments.
- Procedure:
Run testdisk 7-ntfs-undel.dd, Partition type: None, Advanced, Undelete
TestDisk 7.1-WIP, Data Recovery Utility, August 2016
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
P NTFS 0 0 1 5 30 62 12032 [NTFS_DEL]
Deleted files
>./frag1.dat 29-Feb-2004 21:00 1584
./frag2.dat 29-Feb-2004 21:02 3873
./mult1.dat 29-Feb-2004 21:02 3801
./mult1.dat:ADS 29-Feb-2004 21:02 1234
./res1.dat 29-Feb-2004 21:05 101
./sing1.dat 29-Feb-2004 21:01 780
/dir1/dir2/frag3.dat 29-Feb-2004 21:03 2027
/dir1/mult2.dat 29-Feb-2004 21:03 1715
sing2.dat 29-Feb-2004 21:04 1005
Use : to select the current file, a to select/deselect all files,
C to copy the selected files, c to copy the current file, q to quit
- Results:
1. Can you see any of the deleted file names? Which ones?
All the files are listed, the alternate datastream mult1.dat:ADS is listed since version 6.13.
2. Can you recover the res1.dat file? Does it have the correct MD5?
Perfectly recovered.
3. Can you recover the sing1.dat file? Does it have the correct MD5?
Perfectly recovered.
4. Can you recover the dir3\sing2.dat file? Does it have the correct MD5?
The file is recovered with the namesing2.datinstead ofdir3\sing2.dat. Checkum is ok.
5. Can you recover the mult1.dat file? Does it have the correct MD5?
Perfectly recovered.
6. Can you recover the mult1.dat:ADS file? Does it have the correct MD5?
Perfectly recovered.
7. Can you recover the dir1\mult2.dat file? Does it have the correct MD5?
Perfectly recovered.
8. Can you recover the frag1.dat file? Does it have the correct MD5?
Perfectly recovered.
9. Can you recover the frag2.dat file? Does it have the correct MD5?
Perfectly recovered.
10. Can you recover the dir1\dir2\frag3.dat file? Does it have the correct MD5?
Perfectly recovered.
11. Are the dates properly shown to be from Feb 29, 2004? (testing leap year support)
Yes, no problem
Basic Data Carving Test #1
- Test: This test image is a FAT32 file system and is intended to test data carving tools and their ability to extract various file formats. The image contains several allocated and deleted files and the header one JPEG file was modified ( to show the importance of ignoring corrupted files). The FAT boot sector has been corrupted so that the image cannot be mounted and therefore data carving methods must be used to extract the files.
Repairing the damaged boot sector using TestDisk
- Procedure: run
testdisk 11-carve-fat.dd, Partition type: None, Advanced, change the type to FAT16, Boot, RebuildBS, List
TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
P FAT16 0 0 1 7 229 31 126913
Directory /
>-rwxr-xr-x 0 0 19968 9-Mar-2005 13:25 2003_document.doc
-rwxr-xr-x 0 0 8037267 9-Mar-2005 13:25 _OMOPERS.WMV
-rwxr-xr-x 0 0 318895 9-Mar-2005 13:25 enterprise.wav
-rwxr-xr-x 0 0 24367 9-Mar-2005 13:25 haxor2.jpg
-rwxr-xr-x 0 0 23040 9-Mar-2005 13:25 holly.xls
-rwxr-xr-x 0 0 1399508 9-Mar-2005 13:25 lin_1.2.pdf
-rwxr-xr-x 0 0 122434 9-Mar-2005 13:25 nlin_14.pdf
-rwxr-xr-x 0 0 29885 9-Mar-2005 13:25 paul.jpg
-rwxr-xr-x 0 0 444314 9-Mar-2005 13:25 pumpkin.jpg
-rwxr-xr-x 0 0 99298 9-Mar-2005 13:25 shark.jpg
-rwxr-xr-x 0 0 5498 9-Mar-2005 13:25 sm1.gif
-rwxr-xr-x 0 0 550653 9-Mar-2005 13:25 surf.mov
-rwxr-xr-x 0 0 1036994 9-Mar-2005 13:25 surf.wmv
-rwxr-xr-x 0 0 11264 9-Mar-2005 13:25 _EST.PPT
-rwxr-xr-x 0 0 78899 9-Mar-2005 13:25 wword60t.zip
Use Right arrow to change directory, c to copy,
h to hide deleted files, q to quit
- Results: All the files are perfectly recovered
Data carving using PhotoRec
Run photorec 11-carve-fat.dd, Partition type: None, Search, Other, select where to store the files
PhotoRec 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
Disk 11-carve-fat.dd - 64 MB / 61 MiB (RO)
Partition Start End Size in sectors
P Unknown 0 0 1 7 229 31 126913
14 files saved in /home2/kmaster//11-carve-fat/recup_dir directory.
Recovery completed.
[ Quit ]
Results
- All the files are recovered. The damaged jpg (haxor2.jpg) is ignored as expected
- 13/14 files are perfectly recovered (Checkums match the original ones, note that with version older than 6.12, the score is 11/14)
- When the file
enterprise.wavis recovered, it is one byte shorter. PhotoRec is correct, there is an extra/junk byte at the end of the original file.
Basic Data Carving Test #2
This test image is an EXT2 file system and is intended to test data carving tools for indirect block detection and removal. With large files, EXT2 allocates blocks (called indirect blocks) to store file metadata and the blocks are frequently allocated in between blocks that contain file content. Therefore, the file becomes fragmented and a basic carving tool may include the indirect block in the carved file. This file system image contains several allocated and deleted files, none of which have been modified. The super block has been corrupted so that the image cannot be mounted and therefore data carving methods must be used to extract the files.
Several possibilities exist using TestDisk & PhotoRec.
Superblock recovery using TestDisk
TestDisk can find the backup superblock location. Run testdisk 12-carve-ext2.dd, Partition type: None, Advanced, change the type to ext2, Superblock
TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
Disk 12-carve-ext2.dd - 129 MB / 123 MiB - CHS 16 255 63 (RO)
Partition Start End Size in sectors
ext2 0 0 1 15 185 18 252648
superblock 8193, blocksize=1024 []
superblock 24577, blocksize=1024 []
superblock 40961, blocksize=1024 []
superblock 57345, blocksize=1024 []
superblock 73729, blocksize=1024 []
To repair the filesystem using alternate superblock, run
fsck.ext2 -p -b superblock -B blocksize device
>[ Quit ]
Return to Advanced menu
Using the advice from TestDisk, it's possible to repair the filesystem
$ fsck.ext2 -p -b 8193 -B 1024 12-carve-ext2.dd 12-carve-ext2.dd was not cleanly unmounted, check forced. 12-carve-ext2.dd: 19/31616 files (0.0% non-contiguous), 6521/126324 blocks
This way, all non-deleted files are available. After recovering the two deleted files using PhotoRec, all the files are recovered. This solution is the cleanest.
Copy files from the damaged ext2 filesystem using TestDisk
Run testdisk 12-carve-ext2.dd, Partition type: None, Advanced, List
For each file, press c to copy it.
TestDisk 7.1-WIP, Data Recovery Utility, August 2016
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
P ext2 0 0 1 15 185 20 252650
Directory /
>drwxr-xr-x 0 0 1024 10-Mar-2005 19:04 .
drwxr-xr-x 0 0 1024 10-Mar-2005 19:04 ..
drwx------ 0 0 12288 10-Mar-2005 17:41 lost+found
-rw-r--r-- 0 0 18663 10-Mar-2005 19:01 blogo.gif
-rw-r--r-- 0 0 28949 10-Mar-2005 19:01 jn.jpg
-rw-r--r-- 0 0 26618 10-Mar-2005 19:01 lin_test.pdf
-rw-r--r-- 0 0 8463 10-Mar-2005 19:01 main_dive.jpg
-rw-r--r-- 0 0 734652 10-Mar-2005 19:01 n_lin_ss.pdf
-rw-r--r-- 0 0 133249 10-Mar-2005 19:01 sherry.jpg
-rw-r--r-- 0 0 15360 10-Mar-2005 19:01 stats.xls
-rw-r--r-- 0 0 17408 10-Mar-2005 19:01 test.ppt
Next
Use Right to change directory, h to hide deleted files
q to quit, : to select the current file, a to select all files
C to copy the selected files, c to copy the current file
Unfortunately, the deleted files don't show up.
File carving using PhotoRec
PhotoRec is a signature-based file carver. Run photorec 12-carve-ext2.dd, Search, filesystem type: ext2/ext3, [Whole]
PhotoRec 7.1-WIP, Data Recovery Utility, August 2016
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
Disk /home/kmaster/data/data_for_testdisk/12-carve-ext2/12-carve-ext2.dd - 129 MB / 123 MiB (RO)
Partition Start End Size in sectors
P ext2 0 0 1 15 185 20 252650
10 files saved in /home/kmaster/recup_dir directory.
Recovery completed.
You are welcome to donate to support and encourage further development
https://www.cgsecurity.org/wiki/Donation
[ Quit ]
All the files, deleted and non-deleted, are recovered. If only deleted files were wanted, choose [Free] instead of [Whole]
DFRWS
DFRWS 2006 Forensics Challenge - Data carving
After downloading the challenge archive, it's possible to run PhotoRec
- in a fully automated way
photorec /debug /log /d recup_dir /cmd dfrws-2006-challenge.raw options,paranoid_bf,keep_corrupted_file,search
- or in the interactive fashion
photorec /debug /log dfrws-2006-challenge.raw- in the options menu, enable the brute-force search mode and tell PhotoRec to keep corrupted files
Results:
- Fragment of HTML and ascii files are recovered
- Microsoft Office documents: All files are recovered perfectly except one. The file 2c.xls is recovered as the broken file b0002051.doc.
- JPEG files: 3h1.jpg and 3h2.jpg aren't recovered successfully, we got two broken files instead b0031475.jpg and b0031533.jpg
- ZIP recovery: All files are recovered except the file 4c.zip, the ZIP file fragmented with random data in between. PhotoRec detects that the recovered zip is broken and recover it as b0045015.zip.
DFRWS 2008 Rodeo - Data carving or FAT unformat ?
Download the image file. We will analyze the thumbdrive image
- Run
testdisk dfrws2008-rodeo-thumbdrive.img - Partition type: Intel
- Advanced
- Undelete
TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
1 P FAT32 LBA 0 0 2 15 186 19 252711
Directory /
No file found, filesystem seems damaged.
Use Right arrow to change directory, c to copy,
h to hide deleted files, q to quit
No file is listed!
PhotoRec can recover most files using its signature-base recovery strategie
- Run
testdisk dfrws2008-rodeo-thumbdrive.img - Partition type: Intel
- Search
- Select Other as the filesystem was FAT
[ Free ]- Various files are recovered. For some, PhotoRec has been able to extract the filename from the files themself:
f0002635.exe f0006563.exe f0011519_wget.exe f0012155_libeay32.dll f0015983_libintl3.dll f0006239.zip f0011349.zip f0011763_ssleay32.dll f0014227_libiconv2.dll f0016187_upx.exe
Let's now try the unformat function from PhotoRec.
- Run
testdisk dfrws2008-rodeo-thumbdrive.img - Partition type: Intel
- Enable the expert mode in Options
- Search
- Select Other as the filesystem was FAT
[ Free ]- Choose to try to unformat the filesystem, note that it doesn't modify the source disk
- Use the default values
- Don't create an image with the blocks where no data has been identified
- Examine the recovered files
Using the information found during the "unformat" phase, PhotoRec has been able to identify more files:
f0016979-._501 f0017207-0.indexPositions f0017375-live.0.indexTermIds f0017019-0.indexIds f0017231-0.indexDirectory f0017391-live.0.indexPositions f0017083-0.indexGroups f0017255-0.indexCompactDirectory f0017399-live.0.indexPositionTable f0017183-0.indexPostings f0017295-live.0.indexIds f0017415-live.0.indexDirectory f0017187-0.indexHead f0017359-live.0.indexGroups f0017571-live.0.indexHead f0017195-0.shadowIndexHead f0017367-live.0.indexPostings f0017939-0.indexArrays
ForensicKB
Simple Forensic Puzzle #1
In this puzzle, the type of the partition don't match the filesystem type.
- Run
testdisk www.lancemueller.com/blog/evidence/Forensic Puzzle.E01 - Partition table type: Intel
- Analyse
TestDisk 6.13-WIP, Data Recovery Utility, May 2011
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
Image www.lancemueller.com/blog/evidence/Forensic Puzzle.E01 - 1573 MB / 1501 MiB - CHS 3074048 1 1
Current partition structure:
Partition Start End Size in sectors
check_FAT: Unusual number of reserved sectors 4 (FAT), should be 1.
Warning: Incorrect number of heads/cylinder 255 (FAT) != 1 (HD)
Warning: Incorrect number of sectors per track 63 (FAT) != 1 (HD)
1 P FAT32 LBA 2048 1026047 1024000 [NO NAME]
Warning: Bad starting sector (CHS and LBA don't match)
Invalid NTFS or EXFAT boot
2 P HPFS - NTFS 1026048 2050047 1024000
2 P HPFS - NTFS 1026048 2050047 1024000
Warning: Bad starting sector (CHS and LBA don't match)
Invalid FAT boot sector
3 P FAT16 >32M 2050048 3074047 1024000
3 P FAT16 >32M 2050048 3074047 1024000
Warning: Bad starting sector (CHS and LBA don't match)
No partition is bootable
*=Primary bootable P=Primary L=Logical E=Extended D=Deleted
>[Quick Search] [ Backup ]
Try to locate partition
The partition type are currently FAT32 LBA, NTFS, FAT16 > 32M.
- Quick Search
TestDisk 6.13-WIP, Data Recovery Utility, May 2011
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
Image www.lancemueller.com/blog/evidence/Forensic Puzzle.E01 - 1573 MB / 1501 MiB - CHS 3074048 1 1
Partition Start End Size in sectors
>* FAT16 LBA 2048 1026047 1024000 [NO NAME]
P FAT32 LBA 1026048 2050047 1024000 [NEW VOLUME]
P HPFS - NTFS 2050048 3074047 1024000 [New Volume]
The partition type should be FAT16 LBA, FAT32 LBA and NTFS.
NTFS Alternate Data Stream
Not only for files, Alternate Data Stream can be also created for directories. Here is an example
TestDisk 6.13-WIP, Data Recovery Utility, May 2011
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
P NTFS 0 2059766 2059767
Directory /
>dr-xr-xr-x 0 0 0 25-Mar-2011 01:06 .
-r--r--r-- 0 0 780831 25-Mar-2011 01:06 .:$Secure.$SDI
-r--r--r-- 0 0 845941 25-Mar-2011 01:06 .:$TXF_DATA
dr-xr-xr-x 0 0 0 25-Mar-2011 01:06 ..
-r--r--r-- 0 0 780831 25-Mar-2011 01:06 ..:$Secure.$SDI
-r--r--r-- 0 0 845941 25-Mar-2011 01:06 ..:$TXF_DATA
Use Right to change directory
q to quit, : to select the current file, a to select all files
C to copy the selected files, c to copy the current file
Those two ADS are valid jpeg files.
LinuxLeo
Several small disk image can be found on The Law Enforcement and Forensic Examiner's Introduction to Linux website.
Undelete file from a FAT12 filesystem
- Download the Floppy Practice Image
- Run
testdisk practical.floppy.dd - Partition type: None
- Advanced
- Undelete
- Navigate in
/Docs/Private - Delete files are displayed in red, select
ReyHalif.docand presscto copy the file
TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
P FAT12 0 0 1 79 1 18 2880 [NO NAME]
Directory /Docs/Private
>drwxr-xr-x 0 0 0 23-Sep-2000 16:21 .
drwxr-xr-x 0 0 0 23-Sep-2000 16:21 ..
-rwxr-xr-x 0 0 725 23-Sep-2000 16:10 ReyHalif.doc
Use Left arrow to go back, Right arrow to change directory, c to copy,
h to hide deleted files, q to quit
File carving using PhotoRec from a FAT12
- Download the Floppy Practice Image
- Run
photorec practical.floppy.dd - Partition type: None
- Select the FAT12 and choose
Search - If using PhotoRec 6.12 or later, you can choose to carve the free space only.
- Select where to store the recovered files
- One file is recovered, its content matches
ReyHalif.doc.
Recover deleted files from an ext2 filesystem
- Download the "Able2" Ext2 Disk Image
- Run
testdisk able2.dd - Partition type: Intel
- Advanced
- Select the second Linux partition
- Undelete
- Navigate in /root
TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
2 P Linux 0 162 55 7 6 27 102600
Directory /root
>drwxr-x--- 0 0 1024 10-Aug-2003 06:10 .
drwxr-xr-x 0 0 1024 10-Aug-2003 06:15 ..
-rw-r--r-- 0 0 1126 23-Aug-1995 21:02 .Xdefaults
-rw-r--r-- 0 0 24 14-Jul-1994 03:57 .bash_logout
-rw-r--r-- 0 0 238 23-Aug-1995 21:03 .bash_profile
-rw-r--r-- 0 0 176 23-Aug-1995 21:04 .bashrc
-rw-r--r-- 0 0 182 22-Mar-1999 05:00 .cshrc
-rw-r--r-- 0 0 166 4-Mar-1996 16:07 .tcshrc
-rw------- 0 0 2500 10-Aug-2003 06:34 .bash_history
-rw-r--r-- 0 0 1339047 10-Aug-2003 06:08 lolit_pics.tar.gz
-rw-r--r-- 0 0 3639016 10-Aug-2003 06:08 lrkn.tgz
Use Left arrow to go back, Right arrow to change directory, c to copy,
h to hide deleted files, q to quit
- The deleted files (the last two files) can be copied on the local disk
Recover lost data from the free space of an ext2 filesystem
- Download the "Able2" Ext2 Disk Image
- Run
photorec able2.dd - Partition type: Intel
- Advanced
- Select the fourth Linux partition
- Search
- Filesystem type is ext2/ext3
- Select
[ Free ]to scan for file from ext2/ext3 unallocated space only
PhotoRec 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
Disk able2.dd - 345 MB / 329 MiB (RO)
Partition Start End Size in sectors
4 P Linux 11 31 28 42 11 27 496755
27 files saved in /home/kmaster/recup_dir directory.
Recovery completed.
[ Quit ]
- Examine the recup_dir.1 directory: 27 mp3 files are awaiting you.
Recover deleted files from an NTFS partition
- Download the NTFS Image
- Run
testdisk ntfs_pract.dd - Partition type: Intel
- Advanced
- Undelete
TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
1 P HPFS - NTFS 0 0 60 63 174 3 1023001 [NEW VOLUME]
Deleted files
>/Cookies/buckyball@revsci[2].txt 14-Oct-2006 16:31 253
/Cookies/buckyball@search.msn[1].txt 14-Oct-2006 16:42 322
/Cookies/buckyball@slashdot[1].txt 14-Oct-2006 16:32 335
/Cookies/buckyball@sony.aol[2].txt 25-Nov-2006 00:41 78
/My Documents/My Pictures/bandit-streetortrack2005056.jpg 14-Oct-2006 16:37 112063
/My Documents/My Pictures/fighterama2005-ban4.jpg 10-Nov-2006 00:30 187738
/My Documents/direct_attacks.doc 26-Oct-2006 00:14 35328
Use : to select the current file, a to select/deselect all files,
C to copy the selected files, c to copy the current file, q to quit
Recover lost data from the free space of a NTFS partition
- Download the NTFS Image
- Run
photorec ntfs_pract.dd - Partition type: Intel
- Search
- Select
[ Other ]as the filesystem is NTFS - Select
[ Free ]to carve data from the free space only - Select where to store the recovered files
PhotoRec 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
Disk ntfs_pract.dd - 524 MB / 500 MiB (RO)
Partition Start End Size in sectors
1 P HPFS - NTFS 0 0 60 63 174 3 1023001 [NEW VOLUME]
3 files saved in /home/kmaster/recup_dir directory.
Recovery completed.
[ Quit ]
The word document (.doc) and the two JPEG pictures have been recovered.
Discover NTFS Alternate Data Stream (ADS)
- Download the NTFS Image
- Run
testdisk ntfs_pract.dd - Partition type: Intel
- Advanced
- List
TestDisk 6.13-WIP, Data Recovery Utility, May 2011
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
1 P HPFS - NTFS 0 0 60 63 174 3 1023001 [NEW VOLUME]
Directory /
>dr-xr-xr-x 0 0 0 7-Apr-2007 06:59 .
dr-xr-xr-x 0 0 0 7-Apr-2007 06:59 ..
dr-xr-xr-x 0 0 0 8-Apr-2007 02:00 Cookies
dr-xr-xr-x 0 0 0 7-Apr-2007 00:53 Desktop
dr-xr-xr-x 0 0 0 4-Apr-2007 20:41 Favorites
dr-xr-xr-x 0 0 0 8-Apr-2007 01:59 My Documents
-r--r--r-- 0 0 1572864 7-Apr-2007 06:59 NTUSER.DAT
-r--r--r-- 0 0 3823004 7-Apr-2007 06:29 SVstunts.avi
-r--r--r-- 0 0 7212 7-Apr-2007 06:29 SVstunts.avi:hacktrap.txt
Use Right to change directory
q to quit, : to select the current file, a to select all files
C to copy the selected files, c to copy the current file
The hidden document SVstunts.avi:hacktrap.txt can be copied.
Honeynet - Scan of the month
scan15: recover of delete files from an ext2 filesystem
- Download the archive from http://old.honeynet.org/scans/scan15/
- Decompress the archive
- Run
testdisk honeynet/honeypot.hda8.dd - Partition type: None
- Advanced
- Undelete
TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
P ext2 0 0 1 32 253 63 530082
Directory /
>drwxr-xr-x 0 0 1024 16-Mar-2001 02:45 .
drwxr-xr-x 0 0 1024 16-Mar-2001 02:45 ..
drwxr-xr-x 0 0 12288 15-Mar-2001 12:09 lost+found
drwxr-xr-x 0 0 1024 15-Mar-2001 12:09 boot
drwxr-xr-x 0 0 1024 15-Mar-2001 12:09 home
drwxr-xr-x 0 0 1024 15-Mar-2001 12:10 usr
drwxr-xr-x 0 0 1024 15-Mar-2001 12:10 var
drwxr-xr-x 0 0 1024 15-Mar-2001 12:10 proc
drwxrwxrwt 0 0 1024 16-Mar-2001 15:48 tmp
drwxr-xr-x 0 0 34816 16-Mar-2001 02:45 dev
drwxr-xr-x 0 0 3072 16-Mar-2001 02:45 etc
drwxr-xr-x 0 0 2048 16-Mar-2001 02:45 bin
drwxr-xr-x 0 0 3072 15-Mar-2001 12:18 lib
drwxr-xr-x 0 0 1024 15-Mar-2001 12:10 mnt
drwxr-xr-x 0 0 1024 23-Aug-1999 18:03 opt
drwxr-x--- 0 0 1024 15-Mar-2001 18:23 root
drwxr-xr-x 0 0 3072 16-Mar-2001 02:45 sbin
drwxr-xr-x 0 0 1024 15-Mar-2001 18:23 floppy
-rw-r--r-- 0 0 520333 16-Mar-2001 02:36 lk.tgz
drwxr-xr-x 1031 100 0 16-Mar-2001 02:45 last
Use Right arrow to change directory, c to copy,
h to hide deleted files, q to quit
The last two lines list a deleted file and a delete directory containing several delete files.
- Select the file, press
cto get a copy - Other deleted files can be found in /tmp, /etc, /etc/X11/fs, /etc/rc.d/rc[0-6].d, /etc/pam.d
To get a listing of all the files, run
testdisk /log /cmd honeynet/honeypot.hda8.dd advanced,list,recursive
and check the testdisk.log file. Lines listing deleted files are beginning by an X.
scan24: recovery from a damaged FAT12
- Download the image from http://old.honeynet.org/scans/scan24/
- Run
testdisk scan24.dd - Partition type: None
- Advanced
- Undelete
TestDisk 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
P FAT12 0 0 1 79 1 18 2880 [NO NAME]
Directory /
>-rwxr-xr-x 0 0 15585 11-Sep-2002 09:30 cover page.jpgc
-rwxr-xr-x 0 0 1000 24-May-2002 09:20 SCHEDU~1.EXE
-rwxr-xr-x 0 0 4096 14-Oct-2002 15:18 _OVERP~1.SWP
Use Right arrow to change directory, c to copy,
h to hide deleted files, q to quit
- Copy the files
- We can now examine the files and discover that the exe file is a zip archive and that all files are corrupted. Let's try another method.
- Run
photorec scan24.dd - Partition type: None
- Search
- Select Other as the filesystem was FAT
[ Whole ]to recover all the files and ignore the File Allocation Table (FAT)
PhotoRec 6.12-WIP, Data Recovery Utility, October 2010
Christophe GRENIER <grenier@cgsecurity.org>
https://www.cgsecurity.org
Disk scan24.dd - 1474 KB / 1440 KiB (RO)
Partition Start End Size in sectors
P FAT12 0 0 1 79 1 18 2880 [NO NAME]
3 files saved in /home/kmaster/recup_dir directory.
Recovery completed.
[ Quit ]
- Check the recovered files
$ ls -l total 36 -rw-rw-r--. 1 kmaster kmaster 20480 Apr 15 2002 f0000033_Jimmy_Jungle.doc -rw-rw-r--. 1 kmaster kmaster 8754 Nov 9 20:44 f0000073.jpg -rw-rw-r--. 1 kmaster kmaster 2420 Nov 9 20:44 f0000104.zip
The files are perfectly recovered. The challenge isn't finished but PhotoRec helps a lot ;-)
Others
Challenge DC3 2012 DC3 Digital Forensics Challenge
<amazon>0321268172</amazon>