Forensics, Undelete, and Data Recovery

From Noah.org
Revision as of 13:19, 28 March 2010 by Root (talk | contribs) (→‎dd)
Jump to navigationJump to search


undelete a file in Linux

There is no undelete in Linux. You're screwed.

OK, maybe not... If possible, cut power to the machine or drive. Don't let anything else get written to the drive. New data could potentially overwrite the deleted files. If the drive is on a battery-backed cache RAID controller you might also want to remove the drive from the controller and bring up the drive in a different machine. That might be going overboard, but it depends on how desperate you are. If you try simply unmounting the drive then that will actually guarantee the caches are synced to disk which could cause even more data loss.

On most filesystem deleted files are not actually erased. Their space it marked as available and the file actually remains on the disk until the drive overwrites the space with a new file. This could happen right away or it could take a long time before the file is actually lost.

Most data recovery tools fall into the category of "data carving". These tools try to scan the disk as a stream to identify bit patterns associated with common filetypes such as JPG, Word files, mp3, and video files. These tools sometimes recover corrupt files. The also can rarely recover filenames or other metadata.

Some data recover tools make more use of knowledge of the underlying filesystem. For example, there are special tools only for ext2 or NTFS. But a tool that helps recover deleted files from an ext2 filesystem will not work on an ext3 filesystem even through the underlying format is the same.

Install packages on Ubuntu or Debian

See Install Forensics for a complete list of packages to install.

data extraction

To recover data you will need to extract it from the source drive to work on it in a separate work drive.

dd

The venerable old `dd` command is the most common way to create a raw dump of a device. The following does a simple dump of the entire drive, sdb. This means all partitions will be copied. The /dev/sdb device should be unmounted. It is possible that this will work while mounted, but you might also end up with a disk image in an inconsistent state.

dd if=/dev/sdb of=~/recovery/disk.img

ddrescue

`ddrescue` operates similar to `dd` except that it knows how to gracefully handle bad sectors on a disk whereas `dd` will either lock up or refuse to read past a bad part of a disk.

There is another tool called `dd_rescue` by Kurt Garloff which is different. Unfortunately the Ubuntu package repositories have confused the issue even more with their package names. The 'ddrescue' package does not install `ddrescue`; it installs `dd_rescue`.

# This will install the GNU ddrescue in /sbin/ddrescue
aptitude install gddrescue
# This will install Kurt Garloff's dd_rescue in /bin/dd_rescue
aptitude install ddrescue

dd_rescue

This describes Kurt Garloff's dd_rescue. There is another tool called `ddrescue` from GNU which is different. Unfortunately the Ubuntu package repositories have confused the issue even more with their package names. The 'ddrescue' package does not install `ddrescue`; it installs `dd_rescue`. Although, Kurt Garloff's own URL to his dd_rescue tool is written as 'ddrescue'! What's the matter with these people? Have they all gone insane?

# This will install the GNU ddrescue in /sbin/ddrescue
aptitude install gddrescue
# This will install Kurt Garloff's dd_rescue in /bin/dd_rescue
aptitude install ddrescue

dls in Sleuthkit

This toolkit has a variety of tools for extracting raw data from a drive. The most valuable one to me has been `dls` which is similar to `dd` except that it will extract raw data only from the unused parts of a drive where deleted files will be found. This saves time in later steps because you don't have to search through the entire drive for deleted files.

The Sleuthkit

testdisk -- partition recovery

TestDisk checks and recovers lost partitions from a device or image file.

Note that the '/list' option lists only what the drive or image file currently shows for a partition table. This does not do a search. If the drive or image is corrupt in any way then this partition table list might be meaningless. Run testdisk without any options to start the interactive partition recovery tool that will actually search for partitions.

Sadly, this tool does use / instead of traditional - (dash) to indicate an option.

data carving tools

These tools find data in streams based on patterns. They don't need filenames or valid inodes.

PhotoRec

This tool is probably the best tool I've used for recovering files. It was originally a special purpose tool for recovering photos deleted from flash memory cards, but it has grown into a general purpose tool that can identify many types of files.

PhotoRec

recoverjpeg

This specializes in just jpeg files:

recoverjpeg

scalpel

Scalpel is based on an early version of `foremost`. Supposedly `foremost` is a little better at finding files, but `scalpel` is faster and will handle files larger than 2GB.

scalpel

foremost

Foremost

magicrescue

Magic Rescue

ext2 file recovery tools

These tools are becoming less relevant since ext2 is old and not found as often as ext3 and ext4. It is more difficult to undelete files in ext3 and ext4. See the section on #data carving tools for recovering data for newer these filesystems.

e2undel

This tool specializes only in ext2 filesystems.

e2undel

recover

This tool specializes only in ext2 filesystems.

recover

Data file magic bytes

file
offset:magic_bytes

png
0:89504e47
jpg
0:ffd8ffe0
mpeg
0:000001b3
mpeg
0:000001ba

see also

  • Man pages for 'magic(5)' and 'file(1)'.
  • Magic file databases on Linux stored in /usr/share/file or /usr/share/misc.
  • magic.db database from MagicDB.org.
  • file The UNIX `file` command.

Example Recovery

Install some tools

Install `foremost` and `dls`

aptitude install sleuthkit  # This is a collection of forensic analysis tools that includes `dls`.
aptitude install foremost 

dls

You can use `dls` to dump the raw binary data of the free space on a partition. You can pipe that directly into `foremost` which intelligently tries to reconstruct files in raw binary streams.

`dls` works sort of like `dd` except that it dumps unallocated blocks. You can use `dd` instead of `dls`, but then you would be grabbing all the raw data from a disk including data from files that are not deleted. This example assumes the drive partition you want to recover from is /dev/sdb1.

dls /dev/sdb1 > ~/recovery/rawdata.dd

foremost

`foremost` recovers files from a disk image. You use it with `dls` like this:

dls /dev/sdb1 | foremost 

If you want to reduce the amount of useless files that are recovered you can specify the file type you are looking for. For example, to recover any Microsoft Office documents you might do something like the following.

dls /dev/sdb1 | foremost -tole

To recover JPEG pictures do this:

dls /dev/sdb1 | foremost -tjpg

database recovery

MySQL

For dropped MyISAM tables you can try the undelete and data carving tools to find the table files.

InnoDB tables are stored in a single file, so this won't work. For InnoDB tables you can try using data carving tools on the ibdata file. This file is often found in /var/lib/mysql/ibdata1 and is accompanied by /var/lib/mysql/ib_logfile0 and /var/lib/mysql/ib_logfile1 which store transaction info. At this level data carving is probably not going to be much more sophisticated than opening ibdata1 in an editor and searching for strings. I actually recovered large portions of a wiki by running ibdata1 through the `strings` command and then sifting through the mess.

You can also try innodb-tools if you are willing to put in a lot of work.

Memory dumping

You can cat the device file /dev/mem to get a copy of memory. You should pipe this to `netcat` or `ssh` or something that will copy the data over the network.

The `memdump` command can be used to output a copy of RAM. It skips empty regions, so this can help save space. Output goes to stdout, so you should pipe it into netcat or ssh to copy the data off the machine.

Other Resources

Forensics Wiki This is a very handy site and good for finding other tools.

Forensics Wiki's Resources A link to some more links.

Disaster Recover This is an InformationWeek article with good info.