#Tip of the day: forensic!

Posted by surF on July 13, 2016

Today a friend of mine appeared at my place screaming

I’ve lost all my thesis!!! Please help me!

so, fresh after finishing my last International Summer School in Digital Forensic and Cyber Security, I immediately started to draw an attack plan.

What happened? He was working on his shining OpenOffice 4.something while suddenly a blackout hit the house and his PC stopped working. When he rebooted he found the file, tried to recover using the OO tool but nothing, he lost his entire thesis (why people still write the thesis on OO?? Go learn LaTeX please!!!)

Where to start?

I had:

  • complete access to the machine (it was switched off).
  • no encryption on disks.

Without an appropriate tool for working on the hard disk with write block I had to go back to the roots, attach with a SATA connector the HDD and dd from my Debian box.

But, in the meanwhile, he told me that another friend previously had tried to use a Windows tool but he had a I/O error and could not finish the job. Strange, isn’t it? The guy probably worked live on the mounted partition, which is something I have learnt to avoid as much as possible, but let’s see if this could somehow have damaged the system or not.

dd worked but yeah, at 3,2GB there was a read-error that fortunately the program managed to skip itself. How?

dd if=/dev/sdax bs=4K conv=sync,noerror | tee mybigfile.img | md5sum > mybigfile.md5

Using the noerror, dd managed to continue after hitting the I/O error.

Now that the image is created and I verified the md5 sum, the game starts.

Which tools to use?

I am quite familiar with both foremost and scalpel. Despite the scarcity of documentation available online (maybe recovering files is not a common hobby?) I could manage to use those programs pretty well.

scalpel is based on the first one and it required a little bit of tweaking in order to make it work the way I wanted. It is necessary to specify in the config file the files we need to look for. So, I need to scan for odt files, how should I do it? The configuration file, located in /etc/scalpel/scalpel.conf did not contain any info about odt, so looking on the net I found this line to add

odt y   20000000    PK????????????????????????????mimetypeapplication/vnd.oasis.opendocument.textPK META-INF/manifest.xmlPK???????????????

which worked flawlessly!

So the next command was:

sudo scalpel mybigfile.img -b -o /scalpel_recovered_files/

Some of the results were ok, others were false positives. I tried to grep -l to get some info from the files in the folders but I was not lucky enough to find the complete version of the file I was looking for.

So, why not trying with foremost?

This program differs from the one described before mainly because it is possible via command line to specify which extensions we are targeting. The odt extension does not exist BUT it is possible to search for zip.

So the command

sudo foremost -v -T -t zip -i mybigfile.img -o /foremost_recovered_files/

automagically created the following structure in the output folder:

  • zip
  • xlsx
  • sxi
  • sxc
  • sx
  • pptx
  • jar
  • docx
  • odt
  • audit.txt

Pretty cool, isn’t it?

So no extra tweaking to the configuration files is necessary in order to look for odt!

By the way, if you want, by inserting the following string you could actually look for odt as explained here:

odt n 12500000 \x50\x4b\x03\x04

To be continued…