Lets start with file carving concepts. What is it and how do we use it.
According to forensicwiki.org:
File Carving, or sometimes simply Carving, is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media. Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.
Essentially file carving is searching for files or parts of files on a disk in areas of the disk that are unstructured data. The way that it does this is by looking for specific headers and footers of file types. For example lets take a look at the following picture:
Go ahead and download (NOTE: you must open the image completely to download it properly) this image to your desktop and we will look at the hex (I've only copied out the first fifty bytes of the file for this example).
$ cat forExample.png | hd | less
00000000 89 50 4e 47 0d 0a 1a 0a 00 00 00 0d 49 48 44 52 |.PNG........IHDR|
00000010 00 00 02 26 00 00 01 6d 08 02 00 00 00 bc db 36 |...&...m.......6|
00000020 23 00 00 00 09 70 48 59 73 00 00 0b 13 00 00 0b |#....pHYs.......|
00000030 13 01 00 9a 9c 18 00 00 00 07 74 49 4d 45 07 de |..........tIME..|
00000040 08 03 00 36 11 25 89 82 57 00 00 20 00 49 44 41 |...6.%..W.. .IDA|
00000050 54 78 01 00 fc 80 03 7f 00 ff ff ff ff ff ff ff |Tx..............|
The first eight bytes ( 89 50 4e 47 0d 0a 1a 0a ) of the file are the file header. Notice on the right side that in plane text (ASCII) the bytes include the file extension for this particular file ( .PNG.... ) the dots are hex characters that can't be displayed in ASCII. Now lets take a look at the next picture:
And lets view that one in hex:
$ cat forExample2.jpg | hd | less
00000000 ff d8 ff e0 00 10 4a 46 49 46 00 01 01 01 00 48 |......JFIF.....H|
00000010 00 48 00 00 ff db 00 43 00 ff ff ff ff ff ff ff |.H.....C........|
00000020 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
00000050 ff ff ff ff ff ff ff ff ff ff db 00 43 01 ff ff |............C...|
We can see that despite these photos looking the same they have different headers. Every file type has headers (some even have footers) that help us and the computer to identify them. Each of these headers is unique.
Now think of how data is stored. Remember how data for a file always starts at the beginning of a sector? This makes it pretty easy to data carve right? Now, if you saw the large JFIF in unallocated disk space you would know that a JPEG image was stored there! Data carvers work in the same way. They look through the unallocated space and search for file header and footers (or file signatures). One thing to note is that modern file carvers look at all the data, not just the beginning of each sector. The reason for this is because databases are considered one file but may contain multiple images which means the beginning of the file may be found anywhere in a sector. Databases are not the only files that may contain an image inside of them. Compound document files, audio files and others may contain images inside of them as well.
So lets talk about PhotoRec. PhotoRec is an open source file carving tool that is fairly simple and can be used to carve complete disks (or disk images) or even better, unallocated space.
$ img_stat ITEM_2.E01
IMAGE FILE INFORMATION
--------------------------------------------
Image Type: ewf
Size of data in bytes: 4089446400
MD5 hash of data: 70617ea51ddb14b412b3889d861e0c83
$ img_cat ITEM_2.E01 | md5sum
70617ea51ddb14b412b3889d861e0c83 -
$ mmls -B ITEM_2.E01
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Size Description
00: Meta 0000000000 0000000000 0000000001 0512B Primary Table (#0)
01: ----- 0000000000 0000000141 0000000142 0071K Unallocated
02: 00:00 0000000142 0007987199 0007987058 0003G Win95 FAT32 (0x0c)
$ xmount --in ewf ITEM_2.E01 /E01Mnt/RAW/
$ ls /E01Mnt/RAW/
ITEM_2.dd ITEM_2.info
You have all seen this before but I wanted to you to see it again. If you need to review any of these commands you can find them here:
At this point we've confirmed the content of the E01 file is still accurate. Identified the primary partition starts at sector 142, and exposed the E01 as a .dd file.
$ cat /E01Mnt/RAW/ITEM_2.info
The following values have been extracted from the mounted image file:
Case number: 2014-********
Description: ITEM_2
Examiner: ***
Evidence number: ITEM_2
Notes: ***********************
Acquiry date: Thu Jul 24 15:11:40 2014
System date: Thu Jul 24 15:11:40 2014
Acquiry os: Windows 7
Acquiry sw version: ADI3.1.4.6
MD5 hash: 70617ea51ddb14b412b3889d861e0c83
SHA1 hash: ac62c32e9ba584b7c3c427530ae6173da790cb8a
$ md5sum /E01Mnt/RAW/ITEM_2.dd
70617ea51ddb14b412b3889d861e0c83 /E01Mnt/RAW/ITEM_2.dd
Next I reviewed the .info file created when xmount made the E01 visible as a .dd file using the cat command (which I sanitized for anonymity sake. Now we can use PhotoRec on this device.
$ sudo photorec /E01Mnt/RAW/ITEM_2.dd
PhotoRec 6.14, Data Recovery Utility, July 2013
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
Once the command has successfully executed we will get an interactive environment in the terminal like you see below.
Below you can see that you have the option to carve the entire disk or just the FAT32 file system.
Below is you can see that PhotoRec gives you the option to carve for more than just photos like the name implies.
Below you select your file system.
Then you will be asked if you want to carve the whole partition or just the unallocated space.
Finally, when it has completed finished searching the space it will tell you how many files were carved and where it placed them.
There is a step where you select where you want the files exported but that step is not displayed. In the future I will be writing a post on file carving with both Foremost and Scalpel.
Enjoy!
No comments:
Post a Comment