Wednesday, January 30, 2013

Backtrack Forensics: NTFS file recovery with scrounge-ntfs

Menu: Forensics -> Forensic Carving Tools
Directory: /usr/local/sbin/scrounge-ntfs
Official Website:
License: Open Source BSD type license

This is an NTFS file recovery tool. It will read through all blocks on the disk, and tries to recover all files on the file system. It needs some information in order to work:
  • Start Sector: This is where the partition starts on the disk.
  • End Sector: This is where the partition ends on the disk.
  • Cluster Size: This is the size of one 'block' of data on a partition (in sectors, by default it's 8)
  • MFT Offset: Offset to NTFS Master File Table (in sectors).

The tool has an NTFS partition search option, which is not implemented yet. It can also try to detect / guess the values required in the above list, by running:
scrounge-ntfs -l /dev/sda
If it can't be determined you can either go to the disk with a hex editor, or guess. Here is a guide from the author:

Once we have the info, we can start the recovery to an output directory, by running:
scrounge-ntfs -m 2097152 -c 8 -o /root/Desktop/out/ /dev/sda 63 12583809
and as we can see the tool starts to rebuild the files in the correct hierarchy.

No comments: