Unfortunately none of the free windows based utilities was able to do the job. We decided to give the linux based open source utilities a try. On the net I found two utilities (originating from one foremost) that could be used for that purpose (actually there were more but these looked the most promising):
1) scalpel
2) foremost
Both are available in the Ubuntu repos, below one can find some guidelines on installing, configuring the utilities. Before we start - few things about my environment
1) /dev/sdb1 - usb stick device
2) /tmp/recovery - the directory where the recovered files will be put into
Please keep in mind if you have automount feature turned on (which mounts automatically the device from which you would like to recover files) please ensure that you unmount it (in my opinion it is safer to do so).
Scalpel
Scalpel was the first utility that I decided to give a try. First you need to install the utility using the apt-get as follows:
# apt-get install scalpel
# dpkg -l | grep scalpel
ii scalpel 1.60-1build1 amd64 A Frugal, High Performance File Carver
Scalpel utility comes with a configuration file located at /etc/scalpel/scalpel.conf, the default configuration coming with the package has all file extensions commented out (not configured). Fortunately for most typical file types it has already samples so all you need is to edit and uncomment the lines for the file types you want to recover (in my case .doc):
# vim /etc/scalpel/scalpel.conf
...
doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 \xd0\xcf\x11\xe0\xa1\xb1\x1a\xe1\x00\x00 NEXT
doc y 10000000 \xd0\xcf\x11\xe0\xa1\xb1
...
Now all you need is to launch the scalpel utility as follows:
# scalpel /dev/sdb1 -o /tmp/recovery/scalpel
Afterwards you should go to the output directory where you should be able to find the recovered files (in my case recovered files were placed in two folders doc-0-0 and doc-1-0):
# ls -l
-rw-r--r-- 1 root root 760 Nov 20 13:03 audit.txt
drwxr-xr-x 2 root root 4096 Nov 20 13:05 doc-0-0
drwxr-xr-x 2 root root 4096 Nov 20 13:06 doc-1-0
#
Unfortunately it recovered only .doc files not even a single .docx ! I tried to find a proper definition for .docx that could be placed in scalpel.conf file - I found one example on the net but it did not work in my case, I guess the definition was not correct.
Summarizing the scalpel tool recovered the document files (.doc) very fast (2 GB usb stick) but I was not able to make it working for .docx.
That is why I checked the second tool...
Foremost
As mentioned before the foremost utility is available in the standard Ubuntu repos so all you need is to install it using apt-get as shown below:
# apt-get install foremost
# dpkg -l | grep foremost
ii foremost 1.5.7-2 amd64 forensic program to recover lost files
The foremost utility has a set of predefined file formats (types) to be recovered but there is no configuration file like in scalpel. However it also makes the utility to be simpler for a first time user.
Below you can find the command I tried - with file types doc, ole and zip.
# foremost -t doc,ole,zip -i /dev/sdb1 -o /tmp/recovery/foremost
It took a bit longer than in case of scalpel but... After checking the output directory;
# ls -l
-rw-r--r-- 1 root root 2405 Nov 20 13:25 audit.txt
drwxr-xr-- 2 root root 4096 Nov 20 13:26 docx
drwxr-xr-- 2 root root 4096 Nov 20 13:24 ole
drwxr-xr-- 2 root root 4096 Nov 20 13:24 zip
#
Voila - in the docx directory I could find the docx files !
Summary
Summarizing - both tools are able to recover permanently deleted files from the filesystem (in my case FAT32). Scalpel seems to have more advanced configuration capabilities that might make it usable in advanced tasks (custom format files etc.), however one needs to perfectly know how to properly define the type, which i was not able to do for the .docx format. On the other hand if you are looking for something simple, easy and the data to files to be recovered fit into the list of standard formats (jpg, gif, png, bmp, avi, exe, mpg, wav, riff, wmv, mov, pdf, ole, doc, zip, rar, htm, cpp) then foremost is the perfect utility for your needs.
Posty
Brak komentarzy:
Prześlij komentarz