Recover deleted files using SleuthKit
It happens to us all sooner or later. You find you have deleted a file off your system, and you realize you are without a backup of the file. There are many methods, such as SleuthKit out there that can recover a file that has been erased from the recycle bin. In reality the file is still there, the pointers that make the file visible have just been removed and the sectors on the hard drive have been marked as available. In time these sectors will be overwritten with new data, at which time the file can not be restored.
Our lab scenario
So before doing anything further, you want to attempt to recover your file before any data can be written to your disk. A safe way is to make an image of the drive and then work off this. This method is based off a USB stick and how to recover a deleted file off said media. The USB stick is being used on a Mac Pro laptop, running the latest version of Mac OS. Sleuth Kit is installed on my RHEL Server. To install
Creating the disk image
The first step in our scenario is to create the disk image.
- Open Terminal on the MacBook Pro
- Run the command diskutil list – this will show all devices on the system, you are looking for the USB stick.
Our device is /dev/disk2. We need to unmount it before creating the image. To do so, run the command diskutil unmountDisk /dev/disk2
Creating the Disk Image
If all goes to plan, you will see a message stating the disk was unmounted successfully. You then can make a raw image of the entire USB media with the command sudo dd if=/dev/disk2 of=usbimage.img.dd bs=512. For those unfamiliar with the dd, if stands for input file, which is the device you just unmounted. This may be different for you, so use the device name that you found in the previous steps for your system. of stands for output file. This is whatever name you want to call it. Just name it something that lets you know what the image is. bs stands for block size, which I used 512 as a standard size for this task.
It will ask for your password, and you must have sudo rights for it to work. If you are logged in as root you do not need the sudo portion of the command. It will take some time to make the image, and will give you no indication that anything is happening. Just be patient. If the USB stick is 4 GB in size it needs to make a 4 GB file, therefore make sure you have enough space to accommodate the full image, otherwise, it will fail once you run out of disk space.
Starting on the Forensic activities
When the image is finished you will see a response saying how many records in and out, and how many bytes were transferred as well as the transfer speed. I then needed to transfer my image to my RHEL server where I was going to perform my forensic activities on the image. This is done with the scp (secure copy) command. Using the command scp usbimage.img.dd email@example.com:/ copies the image file you just created to your destination system. firstname.lastname@example.org is the username I wish to use to connect to the remote system followed by its IP address. The following :/ tells it where on the remote system I wish to place the file. For simplicity sake, I was just dropping it in the root volume of the server.
Moving the image
Once I had finished moving the image to the server I then moved the file to a new location off the root called /images. I then started to look at what I had, using the img_stat command against the image I was able to see that it is indeed a raw image and the size of the image file.
Seeing available partitions
Then I used the mmls command on the image to see what file systems were in the image. There are three in total, with the 02 being the partition I am interested in. It shows the starting sector of 8064, and that it is a Win95 FAT32 partition table.
We can now start to dig further into the partition to see what we have to work with. The command fsstat -o 8064 usbimage.img.dd, the 8064 is telling it where the starting sector is. This gives you the statistic of the partition that can be helpful in further analysis.
Viewing the file system
The fls -o 8064 usbimage.img.dd lets you view the file structure of the portion and see what files are there. It will also show you files that have been deleted as well. d/d lets you know it is a directory, r/r is a file, and the numbers after them are their inodes.
Finding the file you wish to recover
The file I wanted was an image I deleted before the lab started. Looking at the statistics of the image file using the command istat usbimage.img.dd 11, with 11 being the file’s inode.
Recovery of the deleted file using SleuthKit
We can now attempt to recover the deleted file. Using the command icat -o 8064 -r usbimage.img.dd 11 > image.jpg. 8064 again is the starting sector, the -r is the recovery flag, then you have the image name in question, followed by the inode of the file, the > is a redirection in Linux that redirects the output the file name of your choice, which in my case was just image.jpg.
Upon completion, you can verify the file is in place by issuing the ls command.
Finally, I want my file back on my MacBook Pro, so issuing the scp command from the Mac to copy the image.jpg file from the server, back to my Desktop.
There are many programs out there that would do this process quicker, and maybe even easier, however, I thought it was fun to try it out this way, and it doesn’t cost anything to use this as other programs would. SleuthKit also has many other features that can be used for Computer Forensics that you may find helpful one day.
This was just a fun test lab to try out a feature using SleuthKit, feel free to try it out yourself using these instructions as a guide. I would play around it first in a lab environment before trying this out with anything important. However, if you always work off a disk image then your original data will always be left intact and even if a mistake were to be made you could just start over again. I hope you enjoyed this article, if you have any comments or suggestions please feel free to share them with me in the comments section. For more information visit the forensic tool site.
Ivan Windon – RHCSA