Hands-on File Forensics using dd, ntfsundelete, ext3undelete, and extundelete (en)

From OnnoWiki
Jump to navigation Jump to search

Disclaimer:

  • Always create a copy (image) of the disk or partition to be examined. Directly examining the original disk may damage the data under investigation.
  • Understand the file system being examined. Each file system has different structures and tools.
  • Follow good forensic procedures. This includes documenting every step taken, avoiding data modification, and using reliable tools.

Tools Used:

  • dd: To create a bit-by-bit copy of a disk or partition.
  • ntfsundelete: To recover deleted files from an NTFS partition.
  • ext3undelete: To recover deleted files from an ext3 partition.
  • extundelete: To recover deleted files from ext2, ext3, or ext4 partitions.

Steps:

Create Disk Copy:

sudo dd if=/dev/sda of=/path/to/image.img bs=4M status=progress
  • Replace `/dev/sda` with the device you want to copy.
  • Ensure `/path/to/image.img` has enough storage space.

Mount Image:

sudo mount /path/to/image.img /mnt

Identify File System:

  sudo file -s /path/to/image.img

Use the Appropriate Tool:

  • NTFS:
sudo ntfsundelete /mnt

To see a list of deleted files, use the `-q` option. To recover files, use the `-r` option.

  • ext3:
    sudo extundelete /mnt

To see a list of deleted files, use the `-p` option. To recover files, use the `-r` option.

Analyze Results:

  • Inspect the recovered files.
  • Use additional forensic tools for further analysis, such as `grep`, `strings`, and hashing tools.

Example Usage: 

# Creating a disk copy
sudo dd if=/dev/sdb of=/home/user/forensic/disk.img bs=4M status=progress

# Mounting the image
sudo mount /home/user/forensic/disk.img /mnt 

# Identifying the file system
sudo file -s /mnt

# Recovering files from an ext3 partition
sudo ext3undelete -p /mnt

Additional Tips:

  • Use the `-C` option with `dd` to create a checksum when making a copy.
  • Check tool logs for more information about the recovery process.
  • Use other forensic tools like `The Sleuth Kit` and `Autopsy` for more complex analysis.
  • Continuously improve your forensic skills by following tutorials and practicing.

Important: This guide is only a starting point. Every forensic case is unique and requires a different approach. Always consult a forensic expert if you face a complex case.

Useful Links

Retrieved from "https://onnocenter.or.id/wiki/index.php?title=Hands-on_File_Forensics_using_dd,_ntfsundelete,_ext3undelete,_and_extundelete_(en)&oldid=71283"