Using Sleuthkit To Recover Files
If you are like many digital investigators, you’ve heard about the Autopsy™ digital forensics tool and associate it with a course that used Linux to analyze a device. Or, maybe you associate it with a book that made references to the Linux/OS X tool, but it wasn’t applicable to you at the time because you were using Windows. This article is about how Autopsy 3 is different. In fact it is a complete rewrite from version 2 and is now applicable to everyone. It will change the way you think about digital forensics tools. Runs on Windows and Easy to UseLet’s start off with the fundamentals: Autopsy 3 runs on Windows with an easy to use, double-click installer. No dependency hells that you may typically associate with open source tools.
No esoteric download paths or source code repositories to navigate through. Just download the latest from and run the installer.Note: We’re also working on the Linux and OS X packages, but Windows has been the primary focus. Stay tuned for when these are available.Autopsy 3 has been developed with an overarching goal of providing an intuitive layout and workflow.
When you add the disk image, you are given a list of ingest modules to run. One of them is Hash Lookup. It does both calculation of MD5s and looks them up in databases that you have configured. Even if you didn’t add a hash database, it will still calculate the hashes if you have the module enabled.
Sleuthkit For Windows
The module will hash files in the background and add them to the table as they are calculated.In the next release, the hash is included in the HTML report for tagged files.Posted by carriersleuthkit. Good Work team. Have been a fan of autopsy tool after i started using SIFT workstation for Analyzing certain incidents. The windows version will save my time from switching physical machine to VM for running certain jobs using autopsy. I tried parsing a E01 image file where the partition table entry is Fdisked or deleted. The entire chunk is displayed as unallocated space.
Is there a way to point out the partition table entry for this tool? So that it can run the desired jobs?Posted by Johny Manuel.
Tl;dr Skip to the end for the working solution.I accidentally truncated a file using gedit. It was truncated from 1800 kB down to 25 kB.I wanted to share a few recovery techniques I attempted. This isn't meant to be a definitive answer, more a collection of answers to try.First, remount the filesystem as readonly!
Do this as soon as possible. Sudo mount -o remount,ro /In my case, I was unable to remount readonly, so.The mount command failed.
With error mount: / is busy.I recommend the drastic step of just hard powering off your machine. Yes, drastic! But I don't know how long the remnants of the truncated file will be around. They may be overwritten at any moment.
Boot up into the Ubuntu LiveCD., I ran telinit 1 which dropped down to init level 1. This only complicated things so I don't recommend doing telinit 1. I recommend the hard power down. Attempt using ext3grepand, try using ext3grep.However, ext3grep failed for me.
I was only able to recover the truncated file. Attempt using sleuthkitsleuthkit is cool toolset. You'll probably have to install it. Again, this get's tricky if the truncated file was the / mount.
Again, I recommend hard powering off and then running a LiveCD., and, the instructions are essentially. apt-get install sleuthkit.
stat truncated-file grep Inoderemember the inode number (call it INODENUMBER). backup the file, then delete it: cp -a truncated-file truncated-file.old rm truncated-file. debugfs /dev/disk-device. statslook for Blocks per groupThis is very likely 32768. (call it BLOCKSPERGROUP).
imap to get the block imap remember the block number (call it BLOCKNUMBER). use blkls to copy the blocks to a file blkls /dev/disk-device $BLOCKNUMBER-$(echo '$BLOCKNUMBER+$BLOCKSPERGROUP-1' bc) recovered-file. manually review and clean up recovered-file using some editor programBut sleuthkit did not work for me. Only the truncated file was recovered. Attempt using extundelete. Attempt using grep, grep for some known string in the truncated file.
This is the only method that worked for me. Grep -a -A 1000 -F 'some known string' /dev/disk-device recovered-fileSurprisingly simple, eh? When u make some file the OS will just reserve the space needed for the file. Anyway this 1 and 0 is not really much true there is no really 1 and no really 0 there are values near to 1 and 0.
When some body write in afile the space is reserved. When u delete u make 1 will stay 1. I mean the Os will still showing that this file is found so it will write the new file just over the old one with the same offset and start and end sectors. So its impossible, anyway i hope you can find something else with google–Jan 9 '14 at 17:40.