CSI Linux Recovery

This lab guide teaches you how to recover data from a forensic image.

© CSI Linux – csilinux.com 1

Forensic Data Recovery

Data Destruction

We will cover the different levels of data destruction from full files to completely
obliterated hardware. Some stages are recoverable while some others are not. There are
several labs ready for you to follow along with. We will cover the potential of data
recovery of five of those phases, and only a handful of methods and software at each
phase. To follow along, create your own “evidence disk” by copying known graphics,
documents, and other files to create a known base line. Once you are comfortable with
basic recovery, move on to more advanced content.

An easy way to think about data recovery is

that if data is written to a data container (RAM,
file, database, partition, drive, etc.), it is always
there until it is overwritten or in the case of
RAM, released. You can format a drive a
thousand times, and it does not overwrite the
entire drive. This is why there have been many
cases over the years that digital evidence was
still found even after the suspect took great
lengths to hide or destroy it.

© CSI Linux – csilinux.com 2

Un-deleting vs. Data Carving

Un-deleting is recovering data from a file system after it has been deleted. This means
that the record in the file system's index (FAT, MFT, Catalog, etc...) still points to the
location of the data on the drive. With the FAT file systems, the first character of the file
name is overwritten with the hex characters “E5”. When you recover the data, you may
have the original file name with the file. This method of recovery is a far faster than data
carving.

Data carving does not look for a file system index. Instead, this method starts at the
beginning of the data set and searches for the header (first few bytes) and/or footer (last
few bytes) of a file. For example, a common header of a .JPG file is the hex combination.

“FF D8 FF E0” with a footer of “FF D9”. When a data carving utility finds the header, it
copies the data until it finds the footer and that becomes a recovered data set or file. Some
of the programs will even allow you to ignore the footer to recover “partially recoverable
files”. The challenge with not looking for the footer of a file type means that you will get
a lot more “false positives”.

There are several steps involved in data carving:

• Identify the device or media: The first step in data carving is to identify the device or media that is
being analyzed. This may involve connecting the device to a forensic analysis tool or accessing the
media via a forensic imaging tool.
• Identify the file types: The next step is to identify the file types that are being searched for. This
may involve specifying the file types that are of interest, such as documents, images, or videos.
• Search for carving blocks: The forensic analysis tool will then search for carving blocks that are
associated with the specified file types. These carving blocks may include headers, footers, and
other data that is specific to the file type.
• Reconstruct the deleted files: Once the carving blocks have been identified, the forensic analysis
tool will use them to reconstruct the deleted files. This may involve combining the carving blocks
into a single file or piecing them together to create a complete file.

For example, an investigator might use data carving to recover deleted documents from
a hard drive. The investigator might connect the hard drive to a forensic analysis tool
and specify that they are searching for Word documents. The tool will then search for
carving blocks associated with Word documents and use them to reconstruct the deleted
documents.

© CSI Linux – csilinux.com 3

What is Recoverable?

What can you carve? Well, any data container that may contain files. What I mean by
that is you can carve an entire disk, a partition, a raw copy of a drive, a swap file
(pagefile.sys in windows), and even memory. You can even recover data from a drive that
had an operating system reinstalled over a previous system. During this section of
training, we will make a forensically sound bit-stream image of a “suspect” USB thumb
drive. After

the raw image is complete, we will

use several tools to recover
“evidence” including mounting the
raw DD image to data carving both
deleted and undeleted files. Some of
the open source Linux tools we will
look at are RecoverJPEG, Foremost,
and Scalpel.

© CSI Linux – csilinux.com 4

The Different Phases of Data Destruction

• Full files: Files have not been deleted. The index (FAT, MFT, Catalog, etc.) for the file system is
100% intact. Data can easily be recovered.
• Deleted files: Files have been deleted. The index for the file system is 100% intact. These files
can be “Undeleted” or recovered as long as the data on the disk has not been overwritten.
• Formatted: The Operating System index (FAT, MFT, Catalog, etc.) has been rebuilt or the
records in that index have been overwritten. If the data on the disk has not been overwritten,
they can be recovered with data carving. Names cannot be recovered unless located in the
MATA information of the file & file signatures/headers need to be known.
• Partially overwritten: Some data is recoverable, but usually in bits and pieces. This is where
forensic tools become handy.
• Physical Failure: The data is still there in most cases and the devices need to be repaired before
an attempt to recover it can be made.
• Wiped: All data has been overwritten or “nuked” and is unrecoverable within reasonable
means.
• Physical Annihilation: Drive or media is destroyed and unrecoverable.
• Volatile Data: This is the data that you will lose when the system is turned off. This includes
RAM, System Processes, and Network connections. Capturing this data can be extremely
important in many cases.

Semi-Volatile Data: Swap space (pagefile.sys for Windows for example), temp files, slack
space, and free space on the drive are examples of data that can still be recovered if the
acquisition of the evidence is done properly. Simply turning on the system or computer
can overwrite and make data unrecoverable.

© CSI Linux – csilinux.com 5

Data Carving Labs

Now for recovering the data from the images. During your investigation, you are given
an image (the ones created in the imaging lab), and it is your job to recover any data that
you can. In this lab, we will cover several possible tools to use.

Lab: Using Autopsy GUI

"Autopsy® is a digital forensics platform and graphical interface to The Sleuth Kit® and
other digital forensics tools. It is used by law enforcement, military, and corporate
examiners to investigate what happened on a computer. You can even use it to recover
photos from your camera's memory card." - sleuthkit.org/Autopsy

Autopsy is a forensic analysis tool that can be used to recover deleted files. Here are some
steps for using Autopsy to recover deleted files:

• Create a case: Create a new case in Autopsy and specify the device or media that you want to
analyze. This may involve connecting the device to your computer or specifying the location of a
forensic image.
• Identify the file types: Specify the file types that you want to search for, such as documents, images,
or videos. Autopsy will search for carving blocks associated with these file types in order to recover
the deleted files.
• Analyze the data: Run the analysis in Autopsy to search for the deleted files. Autopsy will display
the results of the analysis in a report, including a list of the recovered files and their locations on
the device or media.

For example, an investigator might use Autopsy to recover deleted documents from a
hard drive. The investigator might use Autopsy, create a new case for the hard drive, and
specify that they are searching for Word documents. Autopsy will then search for
carving blocks associated with Word documents and use them to recover the deleted
documents.

Now, let’s get started with Autopsy.

• Run Autopsy from the taskbar of CSI Linux

• Click on Start New Case.

© CSI Linux – csilinux.com 6

• Fill in the case form.

• Click on OK.
• Wait for Autopsy to open up… This may take a minute.
• Go into the ~/Cases/Case Name folder that was just created and add your forensic image to the
folder called “Forensic Evidence Images”.
• Back in Autopsy, left click on the “Add Data Source” button.
• Select the Disk Image or VM File option.
• Click Next.

• Click on Browse and chose the image (DD) file you created.
• Click on Next.

© CSI Linux – csilinux.com 7

• Click on Select All.

This is a small lab and should not be an issue. For larger cases, pick
only the options you want to use.

• Click on Next.

• Click on Finish.

• Now Wait…

© CSI Linux – csilinux.com 8

You should see a progress bar on the bottom right of the Autopsy window.

Once Autopsy has completed the Ingest Modules, you should see data on the left-hand
side, assuming that data was recoverable. Autopsy is more than just a recovery tool like
some of the other tools we are going to cover, it is a very powerful forensics tool,
especially for it being free.

Notice in the screenshot below that Autopsy also parsed out deleted files and even
EXIF data from the JPG files it recovered. This means even location data if GPS or
location services were enabled when the picture was taken.

NOTE: The Autopsy application works in Windows, MAC, and Linux. Some of the
third party ingest modules however may only work in Windows since they tie into
.EXE files.

© CSI Linux – csilinux.com 9

Lab: Using RecoverJPEG

“A tool to recover lost files on damaged memory cards or USB drives. recoverjpeg tries to
recover JFIF (JPEG) pictures and MOV movies (using recovermov) from a peripheral.” -
rfc1149.net/devel/recoverjpeg.html

1. Do Imaging Lab 1 first

2. recoverjpeg usb(?).dd

Lab: Using Foremost

“Foremost is a console program to recover files based on their headers, footers, and
internal data structures. This process is commonly referred to as data carving. Foremost
can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly
on a drive. The headers and footers can be specified by a configuration file or you can use
command line switches to specify built-in file types. These built-in types look at the data
structures of a given file format allowing for a more reliable and faster recovery.

Originally developed by the United States Air Force Office of Special Investigations and
The Center for Information Systems Security Studies and Research, foremost has been
opened to the general public. We welcome any comments, suggestions, patches, or
feedback you have on this program. Please direct all correspondence to
[email protected].” -foremost.sourceforge.net

Foremost is a forensic tool that can be used to recover deleted files. It works by searching
through a digital device or media for fragments of data that are associated with specific
file types, and then reconstructing the deleted files using these fragments of data.

To use Foremost to recover deleted files, follow these steps:

Identify the device or media: The first step is to identify the device or media that is being
analyzed. This may involve connecting the device to a forensic analysis tool or accessing
the media via a forensic imaging tool.

Specify the file types: Next, specify the file types that you want to recover. Foremost
supports a wide range of file types, including documents, images, videos, and more. You
can specify multiple file types if needed.

© CSI Linux – csilinux.com 10

Run Foremost: Run Foremost using the command line interface. You will need to specify
the location of the device or media, the file types that you want to recover, and the output
location where the recovered files will be saved.

For example, an investigator might use Foremost to recover deleted documents from a
hard drive. The investigator might connect the hard drive to a forensic analysis tool and
run Foremost using the following command:

foremost -t doc -i /dev/sda -o /output/documents

This command will instruct Foremost to search for and recover deleted Word documents
from the hard drive, and save the recovered files to the specified output location.

• Do Imaging Lab 1 first

• Type “foremost –i usb1.dd –o usb1 -v”. Wait until complete.
• Repeat step 2 for each other usb?.dd image
• Use a file explorer or manager to view results
• View and compare the results.

Optional: Only generate an audit file and print to the screen (verbose mode).

foremost -av usb(?).dd

Search all defined types

foremost -t all -i usb(?).dd Search for gif and pdf

foremost -t jpg,pdf -i usb(?).dd Run the default case
foremost usb(?).dd

Sources:

• "Foremost: A Tool for Data Recovery." Sleuth Kit. https://www.sleuthkit.org/foremost/

• "Foremost: A Command Line Tool to Recover Deleted Files." Digital Forensics Corp

© CSI Linux – csilinux.com 11

Lab: Scalpel (Linux)

“Scalpel is a file carving and indexing application that runs on Linux and Windows. The
first version of Scalpel, released in 2005, was based on Foremost 0.69”. -
github.com/machn1k/Scalpel-2.0

Scalpel is a free, open-source data carving tool that can be used to recover deleted files.
Here is how to use Scalpel to recover deleted files:

• Configure Scalpel: Scalpel can be configured to search for specific file types and to specify the
location of the data to be carved. This can typically be done by editing the Scalpel configuration file
and specifying the file types and location of the data.
• Run Scalpel: Once Scalpel is configured, it can be run by specifying the command-line options and
the location of the data to be carved. For example, to carve data from a hard drive, you might use
the following command: "scalpel /dev/sda1 -o /output/folder".
• Review the results: Scalpel will search for carving blocks associated with the specified file types and
use them to reconstruct the deleted files. The reconstructed files will be saved to the output folder
specified in the command-line options. Review the results to determine whether the recovered files
are of interest and save them as needed.

For example, an investigator might use Scalpel to recover deleted documents from a hard
drive. The investigator might install Scalpel and configure it to search for Word
documents. The investigator might then run Scalpel and specify the location of the hard
drive as the data to be carved. Scalpel will search for carving blocks associated with Word
documents and use them to reconstruct the deleted documents. The investigator might
then review the results and save any recovered documents that are of interest.

Scalpel takes a little more configuring out of the box. We are going to look at the
configuration file that will allow us to data carve. This is what the
/etc/scalpel/conf/scalpel.conf file will look like:

# Extension Case size header footer #

#
# GIF and JPG files (very common)
# gif y 5000000 \x47\x49\x46\x38\x37\x61 \x00\x3b
# gif y 5000000 \x47\x49\x46\x38\x39\x61 \x00\x00\x3b
# jpg y 200000000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9
# jpg y 200000000 \xff\xd8\xff\xe1 \xff\xd9

Once we edit the scalpel.conf file to look for what we want to find, save it and now we
can use Scalpel to start carving data.

© CSI Linux – csilinux.com 12

Using Scalpel

1. Do Imaging Lab 1 first

2. Type “scalpel /dev/sdb –o usb1 -v”. Wait until complete.
3. Type “cat /usb1/audit.txt”
4. Repeat steps 2-3 for each other usb?.dd images we created earlier.
5. Use a file explorer or manager to view results.
6. View and compare the results.

Optional:

scalpel usb(?).dd -o Directory-you-want-the-output-to

Note: The trick is to use all the tools in your disposal and compare. The easiest way to do
this is to create the “evidence” drive yourself and documenting every file on the drive.
Then delete several of the files or folders. At this point, you have a known baseline to
start from. Create the dd raw image to analyze with the various methods.

© CSI Linux – csilinux.com 13