use photorec to carve for files with linux ubuntu 12.04

7/31/2019 Use Photorec to Carve for Files With Linux Ubuntu 12.04

1/16

Use PhotoRec to Carve for Files

With Linux Ubuntu 12.04

Carlos Cajigas MSc, EnCE, CFCE

While examining the contents of an external hard drive in a recent case, I came

across the need to recover videos from the unallocated area of the drive. Interestingly

enough, the videos in question were in the form of ISO images. When my preferred

commercial carving tool didnt offer an option to carve for ISOs, PhotoRec did.

PhotoRec in an open source tool that you can use for free. It was originally

designed to recover photos, hence the name, but can now carve for over 250 different

kinds of files. Carving is the process of looking for file headers and file footers, and then

"carving out" the data blocks between those two boundaries. You can use PhotoRec tocarve for files even if your media has been reformatted. PhotoRec is a companion to

our previously discussed program, called Testdisk. PhotoRec comes preinstalled in

Linux Live DVD's like Blackbuntu. For the purposes of this article, I used an

examination computer with Ubuntu 12.04 installed on it.

The goal:

The plan is to recreate the steps that will lead to us being able to carve a file from

the unallocated area of our drive. We are going to add a file to a volume and then

delete it, to simulate the file being in unallocated space. Finally we will use PhotoRec to

carve for our file.

Installing the tools:

All of the tools that we will use are either included in Ubuntu by default, or can be

downloaded from the Ubuntu Software Center. The tools that we will need to recreate

the test are shred, DD, Gparted, and PhotoRec. Shred and DD are already in Ubuntu,so lets head over to the Ubuntu Software Center for the other tools.


2/16

Click on the Dash Home circle, located on the top left of your screen, type in

software and click on the Ubuntu Software Center icon that will appear.

After the Ubuntu Software Center opens, you will see a search box on the top-

right corner of your screen. Type testdisk and click on the install button. PhotoRec

comes bundled with it. You will be prompted for your root password. Enter your root

password and wait for the program to install.

Once Testdisk (PhotoRec) is installed, search for Gparted. Install Gparted as

well.

Now that you have the tools that we need, close the Ubuntu Software Center.

The next step is to prepare a working folder for our files. Go to your desktop, right click

on your desktop and select create new folder, name it Test. Copy one single jpg

picture into it. I chose to work with a jpg picture because it would be easier to locate a

random jpg than an iso for this test. The steps required for recovering a jpg and/or an

iso using PhotoRec are exactly the same.


3/16

The test:

For the test I will be using a 256MB Flash Drive. When testing software, smallerdrives take less time to wipe.

Since we are going to be adding data to our test media and then examining it, we

should sterilize it. Sterilizing a drive is the process of writing a known hex value to every

sector of a piece of media so that it can overwrite any and all data that previously

resided on that piece of media. For the purposes of this article, we will be using the

program Shred. Shred is only run from the command line. Make sure your test media

is inserted into the computer and open a Terminal Window. In Ubuntu you can

accomplish this by pressing Ctrl-Alt-T at the same time or by going to the Dash Home

and typing in terminal.


4/16

Once the terminal window is open, Type the following into the terminal to

determine which letter Ubuntu assigned to the test media.

sudo fdisk -l

Fdisk is a partition table manipulator for Linux. The flag -l tells fdisk to list the

partition table. Sudo gives fdisk superuser privileges for the operations. Press enter

and type your root password (if needed).

Ubuntu assigned the media as SDB. SDB1 is the partition currently stored on

the media. Do not pay much attention to it, we will be wiping shortly.

Now that we know the media's drive assignment, type the following into the

terminal to wipe/sterilize it.

sudo shred -v -n 0 -z /dev/sdb

Shred is the wiping program. The flag -v shows the progress, the flag -n

overwrites with random data n amount of times instead of the default 3. I wrote a 0,

because I didn't want to overwrite the drive with random data. The -z flag adds a final

overwrite with zeros to hide shredding. For the purposes of this test one overwrite with

zeros is all that we need. Dev/sdb is the test media. Sudo gives Shred superuser

privileges for the operations. Press enter and type your root password (if needed).


5/16

Our media has been successfully sterilized by writing zeros to the entire drive,

from the first sector to the last. Now we need to format the media. Remove the media

from the computer and insert it back into the computer. Type the following into the

terminal window.

sudo gparted

Gparted is a Gnome partition editor for manipulating disk partitions. A GUI for

Gparted will open up. Make sure that you select your test media, it should be the

/dev/sdb device. Format the media as NTFS.

Now that the drive is formatted, copy the jpg file from the Test folder into the

media.


6/16

This is my TestPicture.jpg

After the jpg has been copied to your media, delete it.

The test media is now ready.

Now, navigate to the previously created Test folder on the desktop. We will use

the CD command to change directory into the desktop. Type the following into the

terminal.

cd /home/carlos/Desktop/Test/

Replace carlos with the name of the user account you are currently logged on

as. After doing so, press enter. You should receive these results.


7/16

Type the following into the terminal.

sudo dd if=/dev/sdb of=testimage.dd

DD is a common Linux program whose primary purpose is the low level copying

and conversion of raw data. The if= tells dd to read from file, and the of= tells dd to

write to file. Sudo gives DD superuser privileges for the operations. Press enter and

type your root password (if needed).

This action will copy all the sectors on the media into a file named testimage.dd

into our current directory, which is the Test folder.

Now that we have an image of the test media. You can remove the media from

the computer. Type the following into the terminal.

sudo photorec testimage.dd

We finally get to PhotoRec. PhotoRec is a file carving tool for Windows, Mac andLinux. It is a terminal based tool that can be manipulated with the use of the up, down,

left and right arrows and enter to proceed. Press Q at any time to go back or exit the

program. PhotoRec recognizes physical hard drives in the computer and well as USB

storage devices. Or like in this case, you can point PhotoRec to your image file and it

will recognize it as well. Click enter to proceed.


8/16


9/16

Using the right arrow, highlight the [File Opt] at the bottom of the screen and

press enter.


10/16

In this screen you will be able to select the file(s) that you want to carve for. You

can select as many as you want. Look at the list, it is extensive. Use the down arrow to

find the jpg JPG picture option. Highlight the option and press the spacebar to place

an x in the bracket, which will select the option for carving.


11/16

Once this is done, press b to save the settings. You will get a confirmation that

the settings were recorded successfully.


12/16

Press enter twice and you will be brought back to the main screen. Using your

up and down arrows, tell PhotoRec to carve for files on the [Whole disk]. Once this

done, use the left arrow to select the [ Search ] option and press enter.


13/16

Tell PhotoRec the file system type where the file is currently stored.


14/16

And finally tell PhotoRec where to save the carved files. I told it to save the files

to my Test folder on the Desktop. When the destination is correct, start the carving

process by pressing C.


15/16

PhotoRec carved one file from our image, and saved it in the Test folder under a

directory called recup_dir.


16/16

Now open Nautilus and navigate to recup_dir inside of the Test folder on the

Desktop to see what PhotoRec carved. Nautilus is the file manager for the GNOME

desktop environment. You can launch Nautilus by left clicking on the folder looking

icon in your task bar.

PhotoRec successfully carved our jpg file. The file name assigned to the file

starts with an f followed by a number. That number is the first physical sector where

the file resides on the media.

Conclusion:

PhotoRec was able to carve the file that was written to and deleted from our test

media. This is a powerful and free tool that can carve for many files and be a good

supplement to your other carving tools.

If this procedure worked for your case, and you are able to use it in the course of

your investigation, we would like to hear from you. Please post your comments or email

the author of this article at [email protected].

use photorec to carve for files with linux ubuntu 12.04

Documents