Forensics Basics Walkthrough

This is a Forensic Walkthrough for 

L33TZone.org writen by AnonymousFigure.


We will be working with a flashdrive that has be partitioned to 40 mb.

In this walkthrough we are going to recover the information that has been deleted from it.

Notes - we are using kali linux, the tools that we use come pre install with this distro.

We copied the information to the flash drive then deleted it after.





First plug in the Flash drive 



Open a terminal and find all disk images plugged in.

fdisk -l



First we will make a copy of the disk image so it does not get corrupted when we are working on it.

Good for cloning. dcfldd used to make a forensic copy of your image. dd_rescue can be used to rescue images on a formatted drive.


dcfldd if=/dev/sdb1 of=theimageiamcoping.dd



How to mount the image after copy. First you need to make a folder for it on mnt then mount it. Then view info, you can use this for cloning a image.


mkdir /mnt/recovery

mount /root/theimageiamcoping.dd /mnt/recovery

cd /mnt

ls



Then you can use foremost on that copied image


foremost -t all -v -i /root/theimageiamcoping.dd -o (out put where ever)



We copied all the info the the desktop in a folder named a. Lets go check it out.





As you can see it was very successful at recovering the deleted information.


Another way to recover jpegs using recoverjpeg. Move to an area u would like the images to save. 


cd /root/Desktop/

mkdir recoveredjpegs

cd recoveredjpegs


Execute recoverjpeg on the .dd image.


recoverjpeg /root/theimageiamcoping.dd


That is the end of this lesson thank you for tuning in.

Last modified: Friday, 11 March 2016, 5:47 AM