Forensics with Kali Linux - Recovering deleted files-


In this post I will be talking a bit about how a forensic analysis is carried out using OS Kali Linux. I will show you how we can recover a deleted file on a USB device, as well as the steps that should be followed when making a forensic analysis. I am not an expert in this area, but I was looking for information and studying the basic steps that should be done in order to make a good analysis, either for our personal use or to present it in a case at court. I was looking for information about some tools that are usually used for these practices which are already installed in Kali Linux and thus this post was written.

Well once we start, the first thing we will do is find the path of our USB drive with the following command.

> fdisk -l

As we can see in the image it shows us our HDD and below that we can see our device which is in /dev/sdb. Once we have the route, the first thing we do is create a hash of the usb memory, a hash is a mathematical algorithm that transforms any arbitrary block of data into a new series of characters with a fixed length. Regardless of the length of the input data, the output hash value will always have the same length. Given that a hash is never repeated this will serve as evidence that the device or the data it had were not altered or overwritten. The command that we use to create the hash will be the following.

> sha1sum /dev/sdb > /root/Desktop/usb-Copy.sha1


Once we have the hash of the USB device we will create a copy which we'll use to work on it, since you should never touch or work with the physical device or with the original data. It is extremely important and I would say that it is mandatory that you always work with the copy.
To create the copy of the usb drive we will use the dd command which has several usage options.

> dd if=/dev/sdb of=/root/Desktop/usb-copy.dd conv=noerror,sync

In this command we can see that with if=  you specify the path of the device that we want to clone, then with of= we indicate the path where it is going to be saved with the name that we want to give it and the extension .dd. Then with conv= we convert the file based on the list of symbols separated by comma and finally noerror so that it allows to continue running the process based on reading errors.


Once we have the copy of our device we are going to create a hash of the copy and then compare it with the physical device we created in the beginning.

> sha1sum /root/Desktop/usb-copy.dd



When we already have the hash we must make sure that both are equal. Now we use the mmls command, a tool which shows us the splits of the partitions in a system volume. As we will see in the image we have 3 tables, the first would be the particle table, the second the disk buffer and finally the FAT16 partition with which we are going to work. As we can see in the image, the table starts at 129, with that number we will be working.


Now let's use the fls command to list files and directory names, as well as show us the names of files that were recently deleted.

> fls -o 129 usb-Copy.dd



As we see in the image, the first thing it shows us is a file which tells us with r/r that it was recently deleted. We can also see on the left some numbers which perform a follow-up of the location of each file, such as the last time it was edited or the date the file was created. What we will do is try to recover this file with the tool tsk_recover.

> tsk_recover -o 129 usb-Copy.dd /root/Desktop



Once we run this command we will see that it recovers the file that was deleted as well as other additional files.

Well, this is the end of this post, I hope it has been helpful and interesting. I plan on making more posts about this topic in the near future.

26 comentarios:

  1. I was impressed with your article. Actually i was tried of trying various softwares of retriving my lost files. After reading and trying this, I would like to share to my friends too. Furthermore click here
    Data recovery
    Recover deleted data from sd card
    LINUX RECOVERY
    micro sd file recovery
    micro sd card data recovery


    ResponderBorrar
  2. I was looking for something like this.I found it quite interesting, hopefully, you will keep posting such blogs likeData Recovery .Keep sharing.Thank you

    ResponderBorrar
  3. Hello all
    am looking few years that some guys comes into the market
    they called themselves hacker, carder or spammer they rip the
    peoples with different ways and it’s a badly impact to real hacker
    now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
    Anyone want to make deal with me any type am available but first
    I‘ll show the proof that am real then make a deal like

    Available Services

    ..Wire Bank Transfer all over the world

    ..Western Union Transfer all over the world

    ..Credit Cards (USA, UK, AUS, CAN, NZ)

    ..School Grade upgrade / remove Records

    ..Spamming Tool

    ..keyloggers / rats

    ..Social Media recovery

    .. Teaching Hacking / spamming / carding (1/2 hours course)

    discount for re-seller

    Contact: 24/7

    fixitrogers@gmail.com

    ResponderBorrar
  4. Nice Article,

    The Android users are increasing daily and I hope this recovery tool may help the smartphone users which are suffering from data loss and media files deletion from them.

    I would like to recommend you the android data lost users to use Digital Photo Recovery Software to get easily and in just a few steps they will get back their all lost data from LeMax, Realme, Samsung, Blu Dash, Xiaomi, Huawei, ZTE, Lenovo, Motorola, Oppo, OnePlus, and much more mobile phones also.

    Thanks...

    ResponderBorrar
  5. If your Windows PC has beenn infected with harmful trojan, malware, spyware, ransomware, browser hijacker etc then you should make use of Automatic Removal Tool. It supports lots of advanced features and user-friendly interface. So, download the tool now.

    Read more information: http://www.pcprotection-tips.com/

    ResponderBorrar
  6. If you have lost your important photos or videos from SD card, Smartphone, Digital camera, pen drives, camcorders etc then you are advised to make use of Digital Photo Recovery Software. So, check the working efficiency of the tool by downloading its trial version.

    Read more information: http://www.digitalphotos-recovery.com/

    ResponderBorrar
  7. This post is very useful and it helps me. Thanks.

    The Android users are increasing daily and I hope this recovery tool may help the smartphone users which are suffering from data loss and media files deletion from them.

    I would like to recommend you the android data lost users to use Android Data Recovery Software to get easily and in just a few steps they will get back their all lost data from LeMax, Realme, Samsung, Blu Dash, Xiaomi, Huawei, ZTE, Lenovo, Motorola, Oppo, OnePlus, and much more mobile phones also.

    ResponderBorrar
  8. Thanks for sharing Active Directory Recovery Tool tips. for more info i rfer cion systems Active Directory Recovery Tool in USA.

    ResponderBorrar
  9. Hi,

    Thanks for sharing your blog. It was very nice. Fast Data Recovery is one of the most recommended malware data recovery service provider with 24*7 support with guarantee to recover from all types of virus. We have a dedicated team working around the clock in decrypting, analyzing and preventing your data. For more information feel free to contact us anytime.

    ResponderBorrar
  10. The deleted or lost data files from your local system or any other external devices can be efficiently restored with the help of Stillbon Photo Recovery Software. It restores almost all types of files format and photos without losing a bit of information. Photo Recovery Software supports all the Windows OS. It has a simple and intutive GUI interface that offers a hassle-free platform to restore the formatted and lost data. It enabes users to preview all the recoverbale files well before the actual recovery process.

    Check for more info at:- Windows Photo Recovery Software

    ResponderBorrar
  11. Hello W0rld


    I’m offering Hacking / carding short courses that you can learn in 1 hour to 2 hours.

    You don't need to spend a lot of money on so-called fake hackers and fake products,

    fake services money transfer, credit score and loans. Hack anything your own via

    Android / IOS no need hi-speed computer nor required any IT special skills. Course

    are available in Video and text formate also guide privately on localhost with practice.

    courses are mentioned :



    * Android / IOS hacking

    * Cybersecurity landscape

    * Network cybersecurity attacks – management and
    monitoring

    * Malware and advanced persistent threats

    * Bank Account Hacking

    * Credit card hacking

    * Social Media Accounts

    * Password stealing

    * Carding course online / Offline including VPS / RDP

    * Credit Card checker + Balance inquiry

    Beside courses I’m sharing with new and upcoming leaks
    In hacking world.

    Contact info:

    DsLeakS@gmail.com


    ResponderBorrar
  12. TESTIMONY ON HOW I GOT MY LOAN FROM A GENUINE FINANCE COMPANY LAST WEEK. Email for immediate response: drbenjaminfinance@gmail.com

    I am Mrs,Leores J Miguel by name, I live in United State Of America, who have been a scam victim to so many fake lenders online between November last year till July this year but i thank my creator so much that he has finally smiled on me by directing me to this new lender who put a smile on my face this year 2020 and he did not scam me and also by not deceiving or lying to me and my friends but however this lending firm is BENJAMIN LOAN INVESTMENTS FINANCE (drbenjaminfinance@gmail.com) gave me 2% loan which amount is $900,000.00 united states dollars after my agreement to their company terms and conditions and one significant thing i love about this loan company is that they are fast and unique. {Dr.Benjamin Scarlet Owen} can also help you with a legit loan offer. He Has also helped some other colleagues of mine. If you need a genuine loan without cost/stress he his the right loan lender to wipe away your financial problems and crisis today. BENJAMIN LOAN INVESTMENTS FINANCE holds all of the information about how to obtain money quickly and painlessly via Call/Text: +1(415)630-7138 Email: drbenjaminfinance@gmail.com

    When it comes to financial crisis and loan then BENJAMIN LOAN INVESTMENTS FINANCE is the place to go please just tell him I Mrs. Leores Miguel direct you Good Luck....

    ResponderBorrar
  13. I was searching for loan to sort out my bills& debts, then i saw comments about Blank ATM Credit Card that can be hacked to withdraw money from any ATM machines around you . I doubted thus but decided to give it a try by contacting (smithhackingcompanyltd@gmail.com} they responded with their guidelines on how the card works. I was assured that the card can withdraw $5,000 instant per day & was credited with$50,000,000.00 so i requested for one & paid the delivery fee to obtain the card, after 24 hours later, i was shock to see the UPS agent in my resident with a parcel{card} i signed and went back inside and confirmed the card work's after the agent left. This is no doubts because i have the card & has made used of the card. This hackers are USA based hackers set out to help people with financial freedom!! Contact these email if you wants to get rich with this Via: smithhackingcompanyltd@gmail.com or WhatsApp +1(360)6370612

    ResponderBorrar
  14. It feels good by passing and being ahead of my class mate.. I failed so many times in my exams and the shame was way to much for me to handle even to my parent I could not stand the shame anymore with my bad grades until I was referred to a very reliable hacker I call this hacker my god on earth, this hacker is way to good at his job starting from the school website, this hacker broke into my school website and changed my poor grades directly from there without leaving any trace behind trust me am the happiest person on earth because with this hacker am never failing any more and also this hacker is affordable, verifiedprohackers@gmail.com I am very happy thank you once again.

    ResponderBorrar
  15. I was searching for loan to sort out my bills& debts, then i saw comments about Blank ATM Credit Card that can be hacked to withdraw money from any ATM machines around you . I doubted thus but decided to give it a try by contacting (smithhackingcompanyltd@gmail.com} they responded with their guidelines on how the card works. I was assured that the card can withdraw $5,000 instant per day & was credited with$50,000,000.00 so i requested for one & paid the delivery fee to obtain the card, after 24 hours later, i was shock to see the UPS agent in my resident with a parcel{card} i signed and went back inside and confirmed the card work's after the agent left. This is no doubts because i have the card & has made used of the card. This hackers are USA based hackers set out to help people with financial freedom!! Contact these email if you wants to get rich with this Via: smithhackingcompanyltd@gmail.com or WhatsApp +1(360)6370612

    ResponderBorrar
  16. the Dark Web and Empire Market Linking Company is one of the most reliable sources for these types of services because they operate in a completely transparent and ethical business environment. Read more about my website: dark web sites

    ResponderBorrar
  17. I found this blog post searching for something related to social media. Your story is sad, although is very well written. Linux Data Recovery

    ResponderBorrar
  18. Nation_Hackers is a globally well-established group of international Hackers & Spammers.
    We tend to confirm by all suggests that necessary that our shoppers get the most
    effective of services on A PAYMENT. Instead of send cash and trust a criminal to meet
    your deal. You'll get wonderful client service. That's a 100 percent guarantee.
    Be careful of people accused of some crimes, like Ponzis. You have been dragged through
    the grimy door to become a sadist or another kind of victim. We are always looking for
    a way to communicate directly with you. It would always be a Victory for you here. No
    doubt, Nation_Hackers offer matchless services that are unparalleled.

    Contact:
    Telegram : @Nation_Hackers
    ICQ : 1003488698

    * USA SSN leads / SSN FULLZ Fresh
    * CC With CVV (vbv & non-vbv)
    * USA I.D Photos Front & Back
    * Other I.D Templates
    * High Credit Score Fullz
    * Bank Logins
    * Paypal Logins
    * Netflix Logins
    * American Express Login
    * UAE Bank Logins
    * Disney Plus Logins
    * HBO max Logins
    * VPN Logins
    * Bianance Logins
    * Coinbase Logins
    * Blockchain Logins
    * TOOLS
    * TUTORIALS
    * Ethical Hacking (Tools/Tutorials)
    * Bitcoin Hacking
    * Kali Linux
    * RATS
    * Keylogger
    * Bitcoin Flasher
    * SQL Injector
    * SMTP Linux Root
    * Shell Scripting
    * SMS Sender
    * Email Blaster
    * Server I.P's & Proxies
    * Viruses
    * VPN
    * Email Combo
    * SQL Injector
    * CARDING
    * Penetration Testing
    * SMTP Mailer
    * PHP Mailer
    * Trojen V

    Contact:
    Telegram : @Nation_Hackers
    ICQ : 1003488698

    We are always looking for a way to communicate directly with you.
    It would always be a Victory for you here. No doubt,
    with none cheap doubts, it's no news that Nation_Hackers supply one amongst the best services.

    ResponderBorrar