Monday, 21 May 2012

Restore files / Image acquisition 101

First of all lets acquire the image of the disk in question so we can recover the files.

Boot your backtrack disk (usb or disk does not matter that much) and load up the Forensics mode (no disk no swap)

Check out to see what disks/partitions we got

dmesg | grep sd

Get the images from both partitions and transfer them to the workstation where you will be doing the work.

dcfldd if=/dev/sda1 | ssh username@hostname "dd of=/path/on/the/remote/machine/image1.img" 

dcfldd if=/dev/sda2 | ssh username@hostname "dd of=/path/on/the/remote/machine/image2.img"

Now lets make the images to VMware disks

qemu-img convert -f raw /storage/data/recover/sda1.img -O vmdk /storage/data/recover/vmware-sda1.vmdk

or

wget "http://downloads.sourceforge.net/project/raw2vmdk/raw2vmdk-0.1.3.1-jar.tar.gz?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fraw2vmdk%2F&ts=1337595038&use_mirror=kent"

tar -zxvf raw2vmdk-0.1.3.1-jar.tar.gz
rm -rf raw2vmdk-0.1.3.1-jar.tar.gz
cd  raw2vmdk-0.1.3.1-jar

java -jar raw2vmdk.jar /storage/data/recover/sda2.img /storage/data/recover/vmware-sda2.vmdk


Now they can be loaded into VMware and files can be restored using:

Diskdigger (needs licence)
Recuva (free)
FreeRecovereer (free)
File Scavanger (needs licence)


Stay tuned :)

No comments:

Post a Comment