 Welcome back everyone. So today we're going to be doing some data recovery from a disk image inside Linux, and I'm using Ubuntu Ubuntu Linux or Linux Mint actually is my forensic workstation and before we copied we acquired a disk image from our our hard drive our suspect disk connected to a right blocker and Now I have this suspect disk image and it's a about a 4.1 gigabyte suspect disk image and I'm inside I've opened up a Terminal or a command prompt and I'm inside the cases zero zero one images zero zero one folder And if we look at the directory and in Linux We list the directory using LS LS and that shows me all of the Files inside this folder so LS dash LHA shows me a little bit more information about this this directory so here we have one image the image file inside and it's a DD image or a raw disk image and Total about 3.8 gigabytes Okay, so right now. We're just in the same directory and we are going to use The sleuth kit the sleuth kit newer versions I believe it's above version 4 have a tool called TSK underscore recover and TSK recover basically uses sleuth kit tools to be able to Go through a disk image and look for allocated and unallocated in Files and recover the data from those files the way sleuth kit works is very interesting and if we have time Later we might go into it a little bit more in-depth But for now, let's just use the tool TSK recover, which is a relatively easy way to recover your data In Windows. We were using Photo rec and photo rec also works in Linux photo rec will be installed by default in most Linux forensic distributions But the sleuth kit will also be installed in those distributions. So let's go ahead and try this so right now I'm in this the directory with With my image dot DD and that's the image that I want to be able to recover Data from and our command that we're going to be using is TSK underscore recover TSK recover if we do dash H whenever you're running a command line tool You can usually use dash H or possibly dash dash help But I believe in in sleuth kid. It's just dash H and that will give you Invalid option. Okay, so then if you give an invalid option, it will also give you this help menu. Okay, so Whenever you're running a command line tool try to give it dash H or dash dash help and you might get a Help menu here. You should get a help menu. You can also use The man command and man TSK recover to get more information about how TSK recover works So we will just use here and the the commands that it gives us so we want to run the command TSK recover, okay, and then everything in these square brackets are basically optional So as we go through here, okay The the main command is not optional and we go through the image file name is not optional You have to give it some data to actually work on and then we also have to give it an output Directory, okay Now there's a couple different options in here that we might want to give it depending on how we're carving or how we're trying to recover some data But let's let's Look at each of those in turn. So first I'll type TSK recover Okay, and then we go through the options. So I Is the image type what we do know our image type If we do I Here it says use I dash I list for supported types So if we do TSK recover dash I list hit enter these are all of the types that it supports. Okay, so Our image is actually just a raw disk image, but it also supports several other file types Yeah, so some several other file types. So I'm gonna go ahead and clear this Okay, so we are going to run a TSK recover TSK recover and then dash I and my image type is raw. I know because it's a DD image The the device sector size we don't actually we do know this because it was in our It was in our documentation remember we've already seen this before I believe this was 512 bytes However, I'm not going to set this right now. This is optional. So I'm gonna make this as easy as possible File system type we do know the file system type as well It was fat 32, but I'm also not gonna set the file system type and TSK is pretty good now about detecting Detecting file systems and and partitions and things like that. I'm gonna leave these two to blank even though I I know both of them just to make things a little bit easier verbose output What how many messages do we want basically? printing the version of the tool And then dash a recover allicated files only well We don't want to recover allicated files only that would recover only the files that are currently Allocated in the system, which I could have recovered directly from the USB stick E recover all files Allocated and unallocated and this is really what I want to go for this is similar to how Photorek works where it's recovering allicated and unallocated Remember Photorek had the option to collect To basically look at the whole disk or free space And this is kind of the same option here. So we will do dash E. So I'm gonna add this dash E option Okay Sector offset sector offset for a volume to recover And we don't want to recover only a particular volume although we could in this case If we give it an offset to a volume it will recover only That partition or only that volume that we give it So if there's multiple partitions on the disk it will focus only on that one which is useful sometimes But in our case we want to carve everything now or recover everything Dash D and then the drive I numb is the directory I numb to recover from so in this case we can give it Basically this I numb That points specifically to that points to a specific directory inside the disk image Okay, so we're basically saying I want to carve data out of only this folder Inside this partition notice we have to use it with the dash O option so In this case we have to give it basically the locate the starting location for our partition and then we give it the directory I numb or the Identifying number for a directory that we want to carve directly out of so you can be quite specific on these things if you Only want to carve Files out of a certain location. However, we want to carve everything So we want to carve everything and we want to carve allocated and unallocated So we're going to say TSK recover Dash I which is the image type and then we want to say raw which isn't necessary Exactly because TSK should or the sleuth kit should be able to Detect our image type, but I'm just putting that to make sure Dash E says recover all files allocated and all okay and unallocated And then we need to give it the image name and my image name is image dot DD Okay, and then the output directory my output directory is dot dot dot Temp, okay, so what this does is these two dots right now. I'm inside The zero cases zero zero one images zero zero one folder so dot dot basically moves us up to images Dot dot moves us into zero zero one And then I want to go inside this case folder into the temp directory So let's see what that looks like As a file structure. So right now we are inside the images folder inside zero zero one So if I do dot dot that basically goes up one I do dot dot again that goes up one again, and then I want to go inside the temp folder So all of my data should be saved inside this temp folder So I'm going to keep that open and just minimize it. Okay, so now we have our image We have a specified what type of image it is and we specified the output location. So let's go ahead and do this So now I've started it and I don't know if you can hear but my fan is spun up and it's recovered a lot of files Okay, let's go into the temp fault the temp folder. So now it's recovered all of these files from My USB stick and that actually looks like About all of the images that I had in there notice. They have their own Names because they were all located in this case We have a Python script. We have system volume information, which is a Windows Folder that Windows automatically creates and then we have a bunch of different emails from the nron email Okay, and we recover all the data now most of this most not all but most of it Was all located. Let's see if we can find anything that wasn't Yeah, it looks like pretty much everything was all located here So all of this data was recovered from the disk image and now I have this data available on my forensic workstation There's a lot of different things I can do from here I'm I could start to analyze all of this data. I could start to search it for strings search it for viruses Basically just look through all of this either manually or with tools what I'm going to do right now though is Show Let's see so One of we were using Windows, so now I'm inside the directory. I can see all of these these images I am going to open up one of these images Let's say 5a.jpg I'm going to open up one of these images with a hex editor just so we can see again So one thing we talked about one of we were using Windows Was how does this carving work and carving using TSK recover works a little bit differently basically we're looking through all the The file system they're parsing out the file system directory and looking at the file system But the way that we recovered data using my photo rec one of the ways that they have is looking at these magic numbers or these File header for JPEG data. Where is it? About there so here. This is an identifier that starts a JPEG image, and then if we scroll down FFD 9 is what ends the image so basically we can look through an entire disk find Where the image starts copy everything in the middle And then until we get to the end and then put all of this data into a file And we will have a valid JPEG image as long as there's not fragmentation now TSK recover is working a little bit differently than that We're actually going through and parsing the file system, but That's essentially how we can use TSK recover against a disk image to recover Some of the files that are in there