Forensics with Kali Linux - Recovering deleted files-

In this post I will be talking a bit about how a forensic analysis is carried out using OS Kali Linux. I will show you how we can recover a deleted file on a USB device, as well as the steps that should be followed when making a forensic analysis. I am not an expert in this area, but I was looking for information and studying the basic steps that should be done in order to make a good analysis, either for our personal use or to present it in a case at court. I was looking for information about some tools that are usually used for these practices which are already installed in Kali Linux and thus this post was written.

Well once we start, the first thing we will do is find the path of our USB drive with the following command.

> fdisk -l

As we can see in the image it shows us our HDD and below that we can see our device which is in /dev/sdb. Once we have the route, the first thing we do is create a hash of the usb memory, a hash is a mathematical algorithm that transforms any arbitrary block of data into a new series of characters with a fixed length. Regardless of the length of the input data, the output hash value will always have the same length. Given that a hash is never repeated this will serve as evidence that the device or the data it had were not altered or overwritten. The command that we use to create the hash will be the following.

> sha1sum /dev/sdb > /root/Desktop/usb-Copy.sha1

Once we have the hash of the USB device we will create a copy which we'll use to work on it, since you should never touch or work with the physical device or with the original data. It is extremely important and I would say that it is mandatory that you always work with the copy.
To create the copy of the usb drive we will use the dd command which has several usage options.

> dd if=/dev/sdb of=/root/Desktop/usb-copy.dd conv=noerror,sync

In this command we can see that with if=  you specify the path of the device that we want to clone, then with of= we indicate the path where it is going to be saved with the name that we want to give it and the extension .dd. Then with conv= we convert the file based on the list of symbols separated by comma and finally noerror so that it allows to continue running the process based on reading errors.

Once we have the copy of our device we are going to create a hash of the copy and then compare it with the physical device we created in the beginning.

> sha1sum /root/Desktop/usb-copy.dd

When we already have the hash we must make sure that both are equal. Now we use the mmls command, a tool which shows us the splits of the partitions in a system volume. As we will see in the image we have 3 tables, the first would be the particle table, the second the disk buffer and finally the FAT16 partition with which we are going to work. As we can see in the image, the table starts at 129, with that number we will be working.

Now let's use the fls command to list files and directory names, as well as show us the names of files that were recently deleted.

> fls -o 129 usb-Copy.dd

As we see in the image, the first thing it shows us is a file which tells us with r/r that it was recently deleted. We can also see on the left some numbers which perform a follow-up of the location of each file, such as the last time it was edited or the date the file was created. What we will do is try to recover this file with the tool tsk_recover.

> tsk_recover -o 129 usb-Copy.dd /root/Desktop

Once we run this command we will see that it recovers the file that was deleted as well as other additional files.

Well, this is the end of this post, I hope it has been helpful and interesting. I plan on making more posts about this topic in the near future.

11 comentarios:

  1. Excellent article thank you for sharing us a valuable information.I hope it will be helpful for many of us. keep on updating new posts.

    Download DiskDigger
    DiskDigger For Android
    Free Android Data Recovery
    DiskDigger License Key
    DiskDigger Photo Recovery Apps Download

  2. Thanks for Sharing your detailed review on this Article. This Post will obviously help a lot of perople. PlayBox is the best online Streaming App for android users. Check the below links to know more about the niche topics.
    Free Movies Online iOS,
    PlayBox HD Watch Online,
    PlayBox Online Free,
    PlayBox Internet TV Online,

  3. I was impressed with your article. Actually i was tried of trying various softwares of retriving my lost files. After reading and trying this, I would like to share to my friends too. Furthermore click here
    Data recovery
    Recover deleted data from sd card
    micro sd file recovery
    micro sd card data recovery

  4. Nice Blog Post.Thanks for sharing this post.
    Bigo Live is the most popular video broadcasting app on the mobile platform
    Download the application
    video chat
    live streaming
    bigo live live streaming
    Bigo Web
    bigo live stream
    bigo live online
    video streaming

  5. Nice Article. Thank you for sharing the informative article with us. Click the below link to know more about
    PlayBox Online,

    PlayBox Online,

    PlayBox APP for Android,

    PlayBox APP for iOS,

    PlayBox Online,