Logo
RSS Feed

๐Ÿ‘ˆ๐Ÿผ Back to
๐Ÿฉป Data Recovery

Data Carving

   

Created: 06.10.2020

Below are the techniques, tools and instructions regarding data recovery from various file systems and devices. Most of the below techniques apply to HDDs only. Those that are for SDDs or other flash memory devices will be specified in the last section.

Intro

There are several ways to recover deleted data. Some of them will vary for different file systems.

When data is deleted from a flash drive/SSD, all transistors are set to “off”. It doesn’t mean though that data gets deleted the moment it was deleted by the user. Flash memory has a controller with a TRIM function and garbage collector. [3]

Use sleuthkit to gather some information. mmstat <disk_or_image> shows volume type. I’ve run this command, but as I can conclude by the output, it’s not volume type, but rather a partition schema. I wonder if these are the same things. mmls -t <partition_schema> <disk_or_image> shows the disk layout including unallocated space. No need to pass <partition_schema>; it’s determined by the tool. Hence, no need to run mmstat. From the mmls we need to note the partition offset to use it with other tools. For example, fsstat -o <offset> <disk_or_image> shows detailed information about a partition. The output depends on the file system. For Linux ๐Ÿง partitions, it’ll show information about inodes etc. For NTFS - about NTFS metadata, for exFAT - FAT1 and Root directory. The same information but more detail can be viewed with ๐Ÿ›  Active@Disk Editor. To view deleted files: fls -o <offset> <disk_or_image>. To export a timeline from the volume - fls -r -m "/" -o <offset> <disk_or_image> > bodyfile.txt (-r - recursive, -m - use mactime input format to use with another tool, \ - mount point question mark โ“). To create a timeline, run mactime.pl -b <bodyfile> -d > timeline.csv [1]. To specify the timezone, add -z switch.

Carving Techniques

Carving is something that can be used for any file system. There are two methods for carving:

  • Block-based. Starts with a known header, examines each block and validates it, whether it could be the part of the file using data modeling. ๐Ÿ›  Foremost (combines both methods)
  • Header/footer. Use search string engine to scan unallocated space for known headers. Then, looks for the first occurence of a footer. ๐Ÿ›  Foremost (combines both methods), Scalpel.

There are several prerequisited though:

  • The header should be intact
  • The file should not be fragmented (different parts on different parts of the disk)

Foremost

foremost -t jpeg, tif, bmp -i  <image/disk> -o <result_dir>
foremost -v -i <image.dd> -t png, jpg -o /path/to/output/folder

Scalpel

Carver-recovery (aka Scalpel) looks for headers and footers. Scans the image/disk twice. First, it reads in 10MB chunks (default) logging every header and footer. On the second pass, it uses indexes created to collect files.

PhotoRec

dd

Manual

Open the data source in a hex editor (like HxD, Editor101, HexView etc). Look for the magic number for the file format you are looking for. Copy from header to footer, save as a new file and add the correct extension.

๐Ÿฆ  Be cautious about those files carved and don’t launch them on the main system if not sure.

Recovering Registry Entries

Since the registry is unique to Windows systems, the following technique only applies to them. Registry has both unallocated space and unallocated deleted keys.

Use deleted.pl. Example: deleted.pl SAM > /cases/winforensics/SAM_recovered.txt. Or use YARU.

Recovering Data From Flash Drives

๐Ÿงช I thought that data deleted from a flash drive is not recoverable. However, I was able to recover files from a FAT32 partitioned drive. Why?

โ“ May be it’s only until the flash drive is connected to the PC? Maybe once the power is taken away, the data is wiped?

โœ๏ธ

Fragmentation

When the data is stored scattered across the drive and needs to be reassembled first to become usable.

However, through regular use, chunks of files commonly become physically displaced across the disk. A cure for this is defragmenting the disk. This process reduces the time required to access a file by moving the fragmented โ€˜blocksโ€™ of files closer together. Understanding this concept is essential when analysing raw disk images. 5

Slack space

When a file is deleted, it’s not deleted. The sector it used to occupy is now vacant but not zeroed out. If the new file is smaller and occupies less space in this vacant cluster, some data from the previous file would still be at the end of the cluster. Although it’s not the whole file, it still can be helpful in some instances.

References

1

Windows Forensics Cookbook

2

Chances for data recovery

3

Windows OS Forensics, Coursera, InfoSec Institute

4

Digital Archaeology by M. Graves

5

Sheward, Mike. Hands-on Incident Response and Digital Forensics (p. 130). BCS Learning & Development Limited. Kindle Edition.