wtorek, 20 listopada 2012

Ubuntu 12.10: Recovering removed files on FAT32 usb stick

Have you ever removed a file from your disk and later on regret it... I am pretty sure you did, recently it happened to one of my colleagues. The lost or should I say deleted file was a document (.docx) on a USB stick.

Unfortunately none of the free windows based utilities was able to do the job. We decided to give the linux based open source utilities a try. On the net I found two utilities (originating from one foremost) that could be used for that purpose (actually there were more but these looked the most promising):
1) scalpel
2) foremost

Both are available in the Ubuntu repos, below one can find some guidelines on installing, configuring the utilities. Before we start - few things about my environment
1) /dev/sdb1 - usb stick device
2) /tmp/recovery - the directory where the recovered files will be put into

Please keep in mind if you have automount feature turned on (which mounts automatically the device from which you would like to recover files) please ensure that you unmount it (in my opinion it is safer to do so).

Scalpel

Scalpel was the first utility that I decided to give a try. First you need to install the utility using the apt-get as follows:

# apt-get install scalpel

# dpkg -l | grep scalpel
ii  scalpel                                                     1.60-1build1                                 amd64        A Frugal, High Performance File Carver

Scalpel utility comes with a configuration file located at /etc/scalpel/scalpel.conf, the default configuration coming with the package has all file extensions commented out (not configured). Fortunately for most typical file types it has already samples so all you need is to edit and uncomment the lines for the file types you want to recover (in my case .doc):

# vim /etc/scalpel/scalpel.conf
...
doc     y       10000000  \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT
doc     y       10000000  \xd0\xcf\x11\xe0\xa1\xb1
...

Now all you need is to launch the scalpel utility as follows:

# scalpel /dev/sdb1 -o /tmp/recovery/scalpel

Afterwards you should go to the output directory where you should be able to find the recovered files (in my case recovered files were placed in two folders doc-0-0 and doc-1-0):

# ls -l
-rw-r--r-- 1 root root      760 Nov 20 13:03 audit.txt
drwxr-xr-x 2 root root     4096 Nov 20 13:05 doc-0-0
drwxr-xr-x 2 root root     4096 Nov 20 13:06 doc-1-0
#

Unfortunately it recovered only .doc files not even a single .docx ! I tried to find a proper definition for .docx that could be placed in scalpel.conf file - I found one example on the net but it did not work in my case, I guess the definition was not correct. 

Summarizing the scalpel tool recovered the document files (.doc) very fast (2 GB usb stick) but I was not able to make it working for .docx. 

That is why I checked the second tool...

Foremost

As mentioned before the foremost utility is available in the standard Ubuntu repos so all you need is to install it using apt-get as shown below:

# apt-get install foremost

# dpkg -l | grep foremost
ii  foremost                                                    1.5.7-2                                      amd64        forensic program to recover lost files

The foremost utility has a set of predefined file formats (types) to be recovered but there is no configuration file like in scalpel. However it also makes the utility to be simpler for a first time user. 
Below you can find the command I tried - with file types doc, ole and zip.

# foremost -t doc,ole,zip -i /dev/sdb1 -o /tmp/recovery/foremost

It took a bit longer than in case of scalpel but...  After checking the output directory;

# ls -l
-rw-r--r-- 1 root root     2405 Nov 20 13:25 audit.txt
drwxr-xr-- 2 root root     4096 Nov 20 13:26 docx
drwxr-xr-- 2 root root     4096 Nov 20 13:24 ole
drwxr-xr-- 2 root root     4096 Nov 20 13:24 zip
#

Voila - in the docx directory I could find the docx files ! 


Summary

Summarizing - both tools are able to recover permanently deleted files from the filesystem (in my case FAT32). Scalpel seems to have more advanced configuration capabilities that might make it usable in advanced tasks (custom format files etc.), however one needs to perfectly know how to properly define the type, which i was not able to do for the .docx format. On the other hand if you are looking for something simple, easy and the data to files to be recovered fit into the list of standard formats (jpg,     gif, png, bmp, avi, exe, mpg, wav, riff, wmv, mov, pdf, ole, doc, zip, rar, htm, cpp) then foremost is the perfect utility for your needs.



czwartek, 15 listopada 2012

KVM windows guest on Ubuntu 12.10 - no sound

Recently I faced a problem that I could play sound from the KVM windows based guest machine (even though the virtual sound card AC'97 was properly detected and installed). I went through several article recommending to change the type of the card, configure qemu.conf to grant access to the audio. Unfortunately none of these really helped. Then after doing all the previously described things I tried disabling the apparmor and... Now it works...

Below I enclose more detailed procedure on what was needed in my case to make the audio from the guest kvm machine working.

1. Change the type of the card (might not be necessary). In my case the es1370 was chosen

2. Configure qemu.conf - please ensure that the following entries are present in the qemu.conf configuration file. The username and groupname shall be adapted to your system configuration


#  vim /etc/libvirt/qemu.conf 
...

#
vnc_allow_host_audio = 1
...
# The user ID for QEMU processes run by the system instance.
user = "krychu"

# The group ID for QEMU processes run by the system instance.
group = "krychu"
...


3. Disable apparmor. Disabling armor really made the sound working on my box. Actually I completely removed the apparmor from my system (I think it is not necessary, you might try only disabling it).

First I stopped the service:
#  service apparmor stop

Next I removed it from the startup scripts
#  update-rc.d -f apparmor remove

Since I do not use apparmor at the moment I eventually decided to remove it completely (if it happens that you installed apparmor-utils as well you should remove it as well)
#  apt-get remove apparmor apparmor-utils 


Reboot...