Forensics with Kali Linux - Recovering deleted files-

In this post I will be talking a bit about how a forensic analysis is carried out using OS Kali Linux. I will show you how we can recover a deleted file on a USB device, as well as the steps that should be followed when making a forensic analysis. I am not an expert in this area, but I was looking for information and studying the basic steps that should be done in order to make a good analysis, either for our personal use or to present it in a case at court. I was looking for information about some tools that are usually used for these practices which are already installed in Kali Linux and thus this post was written.

Well once we start, the first thing we will do is find the path of our USB drive with the following command.

> fdisk -l

As we can see in the image it shows us our HDD and below that we can see our device which is in /dev/sdb. Once we have the route, the first thing we do is create a hash of the usb memory, a hash is a mathematical algorithm that transforms any arbitrary block of data into a new series of characters with a fixed length. Regardless of the length of the input data, the output hash value will always have the same length. Given that a hash is never repeated this will serve as evidence that the device or the data it had were not altered or overwritten. The command that we use to create the hash will be the following.

> sha1sum /dev/sdb > /root/Desktop/usb-Copy.sha1

Once we have the hash of the USB device we will create a copy which we'll use to work on it, since you should never touch or work with the physical device or with the original data. It is extremely important and I would say that it is mandatory that you always work with the copy.
To create the copy of the usb drive we will use the dd command which has several usage options.

> dd if=/dev/sdb of=/root/Desktop/usb-copy.dd conv=noerror,sync

In this command we can see that with if=  you specify the path of the device that we want to clone, then with of= we indicate the path where it is going to be saved with the name that we want to give it and the extension .dd. Then with conv= we convert the file based on the list of symbols separated by comma and finally noerror so that it allows to continue running the process based on reading errors.

Once we have the copy of our device we are going to create a hash of the copy and then compare it with the physical device we created in the beginning.

> sha1sum /root/Desktop/usb-copy.dd

When we already have the hash we must make sure that both are equal. Now we use the mmls command, a tool which shows us the splits of the partitions in a system volume. As we will see in the image we have 3 tables, the first would be the particle table, the second the disk buffer and finally the FAT16 partition with which we are going to work. As we can see in the image, the table starts at 129, with that number we will be working.

Now let's use the fls command to list files and directory names, as well as show us the names of files that were recently deleted.

> fls -o 129 usb-Copy.dd

As we see in the image, the first thing it shows us is a file which tells us with r/r that it was recently deleted. We can also see on the left some numbers which perform a follow-up of the location of each file, such as the last time it was edited or the date the file was created. What we will do is try to recover this file with the tool tsk_recover.

> tsk_recover -o 129 usb-Copy.dd /root/Desktop

Once we run this command we will see that it recovers the file that was deleted as well as other additional files.

Well, this is the end of this post, I hope it has been helpful and interesting. I plan on making more posts about this topic in the near future.

2 comentarios: