Directory: /pentest/forensics/testdisk
Official Website: http://www.cgsecurity.org/wiki/TestDisk
License: GNU GLP v2+
testdisk is a data recovery tool, it was primarily designed to restore damaged partition, fix deleted boot sectors and undelete files. It supports very large range of file systems. You can find the list on their webpage. For the demo I choose forensic test image #7 from http://dftt.sourceforge.net/test7/index.html. This is an NTFS file system with a couple of deleted files, it has fragmented files, NTFS alternate datastream, so pretty good for testing. We can also have the files' MD5 hashes, so we can check how good our results are.
To start the tool, simply type:
./testdisk_static /root/Desktop/7-ntfs-undel.dd
On the first screen select the disk, and click proceed, you want to work on, in this case we have only one option. If we start it without an image name it will allow us to select from the system drives. We can always go back to the previous screen with pressing "q".
On the next step we should select the partition table. In my experience best to choose "None" as then its detection is the best. If we choose "Intel" it might not find it.
On the next screen we can do couple of things. Let's run an "Analyse" first.
This will do a quick analysis of the disk and partitions, we need to hit a couple of buttons to finish.
If we go back and choose the "Geometry" option, we can change the hard disk properties, if we now what they were, and think that the auto detection was not correct. It's good in our example.
Let's go back, and select the "Advanced" option, here we can fix boot sectors, recover files, or make an image. I will move to "Undelete" cause I want to recover the files.
Here, I simply press "a" to select all files, I want to recover all of them, to see how it works out. We can restore a single file with "c", select one with ":" and finally restore selected with "C".
When we press "C" it will offer us to select a location where to save the files. Once we found the directory press "C" to copy the files.
After that I made an MD5 cheksum to all files with:
md5deep -e -r /root/Desktop/testdisk
and if we compare the MD5s found on the webpage of the image, we can see that all of them are correct.
Next tool is photorec, which can restores files based on their signatures, similar to foremost and scalpel. Originally it was developed to restore image, that's why the name, but since then many different file types were added. I used here test image #11 from the same site. We can start it similarly to testdisk:
./photorec_static /root/Desktop/11-carve-fat.dd
Then we can choose our disk. Again if we don't specify it will offer the system drives.
After that we can choose between a few options. Let's go to "File Opt" first, where we can chose which file types we want to recover.
You can see that we have lots of options, I simply left the default selection. Press "q" to go back.
Then choose "Search", after that we need to specify the file system. I know it's FAT in this case.
Then we need to select again where to store the recovered files.
Once the search finished, it will tell us how many files were found.
We won't have the file names in this case, cause the restoration was based on file headers and not file system entries. In some cases it will add a name if it can be found in some metadata. I run an MD5 check again, and we can see that the signature is matching most of the cases. It's not perfect, but still pretty god.
There is one more tool in their directory called "fidentify", which can do file type identification, using the same database as photorec. Run it with specifying the directory:
./fidentify_static /root/Desktop/testdisk/
and as we can see it prints the file type.
No comments:
Post a Comment