Thursday, April 28, 2011

Recuperação de dados - Conhecendo o foremost

Hoje vamos conhecer uma ferramenta chamada foremost .

Link do site : http://foremost.sourceforge.net/

O Foremost é usado básicamente para recuperação de arquivos .

Vamos colocar a mão na massa?!

Para conhecer as opções você pode executar um "man foremost"



Vamos fazer um teste usando a recuperação de dados de um pen drive .



Abaixo o conteúdo existente neste disco :



jy@victory:~$ cd /media/my_stickj/

jy@victory:/media/my_stickj$ ls -lhtr

total 16K

drwx------ 2 jy jy 4.0K 2011-03-14 19:14 ieq

drwx------ 2 jy jy 4.0K 2011-03-14 19:14 compar

drwx------ 3 jy jy 4.0K 2011-03-14 19:14 nfe

drwx------ 2 jy jy 4.0K 2011-03-24 13:49 fotos

jy@victory:/media/my_stickj$ cd fotos/

jy@victory:/media/my_stickj/fotos$ ls -lhtr

total 124K

-rw-r--r-- 1 jy jy 11K 2011-03-02 23:30 ruby.jpg

-rw-r--r-- 1 jy jy 4.3K 2011-03-02 23:31 ti.jpg

-rw-r--r-- 1 jy jy 6.6K 2011-03-02 23:32 oca.jpg

-rw-r--r-- 1 jy jy 5.0K 2011-03-02 23:32 oce.jpg

-rw-r--r-- 1 jy jy 2.3K 2011-03-02 23:33 oracle_database.jpg

-rw-r--r-- 1 jy jy 4.2K 2011-03-02 23:34 oracle11g.jpg

-rw-r--r-- 1 jy jy 3.6K 2011-03-02 23:35 linux.jpg

-rw-r--r-- 1 jy jy 7.3K 2011-03-02 23:36 ubuntu.jpg

-rw-r--r-- 1 jy jy 8.0K 2011-03-02 23:36 postgresql.jpg

-rw-r--r-- 1 jy jy 6.6K 2011-03-02 23:36 oracle_mysql.jpg

-rw-r--r-- 1 jy jy 4.4K 2011-03-02 23:37 fedena.png

-rw-r--r-- 1 jy jy 6.4K 2011-03-02 23:38 redhat.jpg

-rw-r--r-- 1 jy jy 7.7K 2011-03-02 23:39 fedora.jpg

-rw-r--r-- 1 jy jy 8.2K 2011-03-02 23:39 fedora2.png

-rw-r--r-- 1 jy jy 7.4K 2011-03-02 23:43 exadata.jpg

-rw-r--r-- 1 jy jy 47 2011-03-02 23:47 Picasa.ini

jy@victory:/media/my_stickj/fotos$



Suponhamos que o cidadão dono do pen drive faça isso :



jy@victory:/media/my_stickj$ rm -r *

jy@victory:/media/my_stickj$ ls

jy@victory:/media/my_stickj$



ou mesmo que for usando interface grafica .



Se fomos analisar o disco estará vazio.



Agora vamos usar o foremost .



1º Copiar o disco para um arquivo em um diretorio qualquer para análise :



- Usando um fdisk -l conseguimos pegar o nome do disco no sistema operacional



Disk /dev/sdb: 1035 MB, 1035993088 bytes

32 heads, 62 sectors/track, 1019 cylinders

Units = cylinders of 1984 * 512 = 1015808 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x00094a3d



Device Boot Start End Blocks Id System

/dev/sdb1 * 1 1019 1010817 c W95 FAT32 (LBA)



- Usando o comando "dd" vamos extrair o conteído do disco para o arquivo :



jy@victory:/media/my_stickj$ sudo dd if=/dev/sdb of=/home/jy/temp/pendrivex.raw

2023424+0 records in

2023424+0 records out

1035993088 bytes (1.0 GB) copied, 397.122 s, 2.6 MB/s

jy@victory:/media/my_stickj$



-visualizando o arquivo



jy@victory:~/temp$ pwd

/home/jy/temp

jy@victory:~/temp$ ls -lhtr

total 989M

-rw-r--r-- 1 root root 988M 2011-03-24 15:15 pendrivex.raw

jy@victory:~/temp$



- Agora vamos usar realmente o foremost para extrair possíveis conteúdos do disco

Vamos usar o básico que faz uso das opções default do programa,sem especificar tipo de arquivo,tamanho de bloco entre outras :





jy@victory:~/temp$ foremost -t all -i /home/jy/temp/pendrivex.raw -o /home/jy/temp/pendrivexfiles/ -v

Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus

Audit File



Foremost started at Thu Mar 24 16:13:37 2011

Invocation: foremost -t all -i /home/jy/temp/pendrivex.raw -o /home/jy/temp/pendrivexfiles/ -v

Output directory: /home/jy/temp/pendrivexfiles

Configuration file: /etc/foremost.conf

Processing: /home/jy/temp/pendrivex.raw

|------------------------------------------------------------------

File: /home/jy/temp/pendrivex.raw

Start: Thu Mar 24 16:13:37 2011

Length: 988 MB (1035993088 bytes)



Num Name (bs=512) Size File Offset Comment



*0: 00260926.jpg 99 KB 133594112

1: 00303110.jpg 11 KB 155192320

2: 00303134.jpg 8 KB 155204608

3: 00303158.jpg 26 KB 155216896

4: 00303214.jpg 21 KB 155245568

5: 00303262.jpg 8 KB 155270144

6: 00303286.jpg 26 KB 155282432

7: 00303342.jpg 14 KB 155311104

8: 00303374.jpg 9 KB 155327488

9: 00326102.jpg 105 KB 166964224

10: 00326318.jpg 113 KB 167074816

....

64: 00303102.png 499 B 155188224 (15 x 14)

*********|

Finish: Thu Mar 24 16:14:10 2011



65 FILES EXTRACTED



jpg:= 26

gif:= 8

htm:= 1

zip:= 2

png:= 28

------------------------------------------------------------------



Foremost finished at Thu Mar 24 16:14:10 2011

jy@victory:~/temp$



Acima coloquei parte da execução do comando para extração de conteúdo e abaixo temos o relatório do foremost :



Foremost version 1.5.7 by Jesse Kornblum, Kris Kendall, and Nick Mikus

Audit File



Foremost started at Thu Mar 24 16:13:37 2011

Invocation: foremost -t all -i /home/jy/temp/pendrivex.raw -o /home/jy/temp/pendrivexfiles/ -v

Output directory: /home/jy/temp/pendrivexfiles

Configuration file: /etc/foremost.conf

------------------------------------------------------------------

File: /home/jy/temp/pendrivex.raw

Start: Thu Mar 24 16:13:37 2011

Length: 988 MB (1035993088 bytes)



Num Name (bs=512) Size File Offset Comment



0: 00260926.jpg 99 KB 133594112

1: 00303110.jpg 11 KB 155192320

2: 00303134.jpg 8 KB 155204608

3: 00303158.jpg 26 KB 155216896

4: 00303214.jpg 21 KB 155245568

5: 00303262.jpg 8 KB 155270144

6: 00303286.jpg 26 KB 155282432

7: 00303342.jpg 14 KB 155311104

8: 00303374.jpg 9 KB 155327488

9: 00326102.jpg 105 KB 166964224

10: 00326318.jpg 113 KB 167074816

11: 00326558.jpg 7 KB 167197696

12: 00326574.jpg 4 KB 167205888

13: 00326590.jpg 7 KB 167214080

14: 00326606.jpg 8 KB 167222272

15: 00326630.jpg 3 KB 167234560

16: 00326638.jpg 6 KB 167238656

17: 00326654.jpg 4 KB 167246848

18: 00326670.jpg 4 KB 167255040

19: 00326686.jpg 2 KB 167263232

20: 00326694.jpg 6 KB 167267328

21: 00326718.jpg 7 KB 167279616

22: 00326734.jpg 6 KB 167287808

23: 00326750.jpg 10 KB 167296000

24: 00326774.jpg 4 KB 167308288

25: 00326790.jpg 7 KB 167316480

26: 00294666.gif 158 B 150869425 (31 x 32)

27: 00294667.gif 141 B 150869688 (31 x 32)

28: 00294667_1.gif 162 B 150869934 (31 x 32)

29: 00294668.gif 153 B 150870203 (32 x 32)

30: 00294668_1.gif 153 B 150870463 (32 x 32)

31: 00294669.gif 153 B 150870723 (32 x 32)

32: 00294669_1.gif 153 B 150870974 (32 x 32)

33: 00303094.gif 99 B 155184128 (19 x 18)

34: 00303494.htm 27 KB 155389123

35: 00297978.zip 2 MB 152564906

36: 00303566.zip 11 MB 155425792

37: 00294670.png 4 KB 150871299 (48 x 48)

38: 00294679.png 3 KB 150876111 (47 x 48)

39: 00294687.png 3 KB 150879952 (48 x 48)

40: 00294694.png 3 KB 150883833 (48 x 48)

41: 00297615.png 8 KB 152378989 (783 x 63)

42: 00297829.png 783 B 152488815 (16 x 16)

43: 00297831.png 783 B 152489744 (16 x 16)

44: 00297833.png 783 B 152490675 (16 x 16)

45: 00297844.png 3 KB 152496470 (48 x 48)

46: 00297851.png 3 KB 152499818 (48 x 48)

47: 00297857.png 3 KB 152503168 (48 x 48)

48: 00297893.png 2 KB 152521218 (48 x 48)

49: 00297897.png 2 KB 152523457 (48 x 48)

50: 00297901.png 2 KB 152525698 (48 x 48)

51: 00297910.png 473 B 152529932 (16 x 16)

52: 00297911.png 473 B 152530563 (16 x 16)

53: 00297912.png 473 B 152531196 (16 x 16)

54: 00297934.png 2 KB 152542618 (48 x 48)

55: 00297939.png 2 KB 152544861 (48 x 48)

56: 00297943.png 2 KB 152547106 (48 x 48)

57: 00297948.png 519 B 152549603 (16 x 16)

58: 00297949.png 519 B 152550240 (16 x 16)

59: 00297950.png 519 B 152550879 (16 x 16)

60: 00297952.png 525 B 152551642 (16 x 16)

61: 00297953.png 525 B 152552317 (16 x 16)

62: 00297955.png 525 B 152552994 (16 x 16)

63: 00302756.png 4 KB 155011231 (32 x 32)

64: 00303102.png 499 B 155188224 (15 x 14)

Finish: Thu Mar 24 16:14:10 2011



65 FILES EXTRACTED



jpg:= 26

gif:= 8

htm:= 1

zip:= 2

png:= 28

------------------------------------------------------------------



Foremost finished at Thu Mar 24 16:14:10 2011



Logo veremos mais algumas ferramentas.



Abs,



JC
Postado por às
Marcadores: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)