🩻 Data Recovery

Data Carving

Below are the techniques, tools and instructions regarding data recovery from various file systems and devices. Most of the below techniques apply to HDDs only. Those that are for SDDs or other flash memory devices will be specified in the last section.

🗄 File Systems

Backups

*Most OS and apps have some sort of time machine, backups if you will. *

Passwords Cracking

mem

Such files as hiberfil.sys or a memory image can grepped for passwords.

zip

brew install john
brew install hashcat
brew install maczip # to create test 7z on macOS

./7z2john /path/to/zip/file.7z > /path/to/output/file.hash

hashcat -h | grep -i zip                                                                                             
  11600 | 7-Zip                                                      | Archive
  17220 | PKZIP (Compressed Multi-File)                              | Archive
  17200 | PKZIP (Compressed)                                         | Archive
  17225 | PKZIP (Mixed Multi-File)                                   | Archive
  17230 | PKZIP (Mixed Multi-File Checksum-Only)                     | Archive
  17210 | PKZIP (Uncompressed)                                       | Archive
  20500 | PKZIP Master Key                                           | Archive
  20510 | PKZIP Master Key (6 byte optimization)                     | Archive
  23001 | SecureZIP AES-128                                          | Archive
  23002 | SecureZIP AES-192                                          | Archive
  23003 | SecureZIP AES-256                                          | Archive
  13600 | WinZip                                                     | Archive

hashcat -m 11600 hash.hash toolkit/wordlists/rockyou.txt

And the result is the following. For rockyou.txt file the estimated time was about 16-18 hours. So, for the testing purposes I created a simple wordlist with just 3 words.