recovering files

Lets say we accidentally deleted files from the HDD how can we get them back?


start with - lost+found Directory


next where the device is mounted we can use strings against it.

/dev/sdb = /mnt/usb

we could do - strings /dev/sdb

This will shows us every command in written so might take some searching through...


--------------------------------------------------------------------------------------------------------------------------
alternative is to use xxd and grep out the junk


xxd /dev/sdb | gerp -v "0000 0000 0000 0000 0000 0000 0000 0000"


--------------------------------------------------------------------------------------------------------------------------
A further method is to use regular expressions with Grep if we have something knowledgeable about the files we are looking for.

For example, if we are looking for a flag that is 32 characters long that is also alphanumeric with no spaces then this would be a very specific typ of match that would match much else if anythign at all.

so we could do...

grep -a '[a-Z0-9]\{32\}' /dev/sdb

Output:

root@raspberrypi:/lib/live/mount/persistence/sda2/root# grep -a '[a-Z0-9]\{32\}' /dev/sdb
|}*,.+-3d3e483143ff12ec505d026fa13e020b

We can also use this method to see the whole file content by adding lines before and after to be included in our output.


Output:

root@raspberrypi:/lib/live/mount/persistence/sda2/root# grep -a '[a-Z0-9]\{32\}' -A 2 -B 2 /dev/sdb
+ !9;9Y3
        8PP
(["       1YS1Y
               <Byc[B)>r &<yZ.Gum^>
                                   1Y
|}*,.+-3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
root@raspberrypi:/lib/live/mount/persistence/sda2/root#

--------------------------------------------------------------------------------------------------------------------------

Another method is by using "binwalk"
First check we have a few files..

dd
dcfldd - a more forensic version of dd

Next we logout of our ssh session and run...

ssh pi@IP "sudo dcfldd if=/dev/sdb | gzip -1 -" | dcfldd of=pi.dd.gz

This will login over ssh, take the contents of /dev/sdb and zip up the output.

we should have a file now call "pi.dd.gz" in the working directory of the box.

root@kali:/hacking/htb/boxes/10.10.10.48-MIRAI# ssh pi@10.10.10.48 "sudo dcfldd if=/dev/sdb | gzip -1 -" |dcfldd of=pi.dd.gz
pi@10.10.10.48's password:
256 blocks (8Mb) written.
320+0 records in
320+0 records out

0+3 records in
1+1 records out


This is good...

Next we look in our local directory and find the file 'pi.dd.gz'

root@local:/opt/# ls | grep "pi.*"
pi.dd.gz

next we decompress it..

gunzip -d pi.dd.gz

now we binwalk it

binwalk -Me pi.dd.gz

This creates a new local directory with the contents discovered.

We search through the directories and find the same information

Directory looks similar to this "/_pi.dd.extracted"













No comments:

Post a Comment