recovering files

Lets say we accidentally deleted files from the HDD how can we get them back?

start with - lost+found Directory

next where the device is mounted we can use strings against it.

/dev/sdb = /mnt/usb

we could do - strings /dev/sdb

This will shows us every command in written so might take some searching through...

alternative is to use xxd and grep out the junk

xxd /dev/sdb | gerp -v "0000 0000 0000 0000 0000 0000 0000 0000"

A further method is to use regular expressions with Grep if we have something knowledgeable about the files we are looking for.

For example, if we are looking for a flag that is 32 characters long that is also alphanumeric with no spaces then this would be a very specific typ of match that would match much else if anythign at all.

so we could do...

grep -a '[a-Z0-9]\{32\}' /dev/sdb


root@raspberrypi:/lib/live/mount/persistence/sda2/root# grep -a '[a-Z0-9]\{32\}' /dev/sdb

We can also use this method to see the whole file content by adding lines before and after to be included in our output.


root@raspberrypi:/lib/live/mount/persistence/sda2/root# grep -a '[a-Z0-9]\{32\}' -A 2 -B 2 /dev/sdb
+ !9;9Y3
(["       1YS1Y
               <Byc[B)>r &<yZ.Gum^>
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?


Another method is by using "binwalk"
First check we have a few files..

dcfldd - a more forensic version of dd

Next we logout of our ssh session and run...

ssh pi@IP "sudo dcfldd if=/dev/sdb | gzip -1 -" | dcfldd of=pi.dd.gz

This will login over ssh, take the contents of /dev/sdb and zip up the output.

we should have a file now call "pi.dd.gz" in the working directory of the box.

root@kali:/hacking/htb/boxes/ ssh pi@ "sudo dcfldd if=/dev/sdb | gzip -1 -" |dcfldd of=pi.dd.gz
pi@'s password:
256 blocks (8Mb) written.
320+0 records in
320+0 records out

0+3 records in
1+1 records out

This is good...

Next we look in our local directory and find the file 'pi.dd.gz'

root@local:/opt/# ls | grep "pi.*"

next we decompress it..

gunzip -d pi.dd.gz

now we binwalk it

binwalk -Me pi.dd.gz

This creates a new local directory with the contents discovered.

We search through the directories and find the same information

Directory looks similar to this "/_pi.dd.extracted"

No comments:

Post a Comment