Lets say we accidentally deleted files from the HDD how can we get them back?
start with - lost+found Directory
next where the device is mounted we can use strings against it.
/dev/sdb = /mnt/usb
we could do - strings /dev/sdb
This will shows us every command in written so might take some searching through...
--------------------------------------------------------------------------------------------------------------------------
alternative is to use xxd and grep out the junk
xxd /dev/sdb | gerp -v "0000 0000 0000 0000 0000 0000 0000 0000"
--------------------------------------------------------------------------------------------------------------------------
A further method is to use regular expressions with Grep if we have something knowledgeable about the files we are looking for.
For example, if we are looking for a flag that is 32 characters long that is also alphanumeric with no spaces then this would be a very specific typ of match that would match much else if anythign at all.
so we could do...
grep -a '[a-Z0-9]\{32\}' /dev/sdb
Output:
root@raspberrypi:/lib/live/mount/persistence/sda2/root# grep -a '[a-Z0-9]\{32\}' /dev/sdb
|}*,.+-3d3e483143ff12ec505d026fa13e020b
start with - lost+found Directory
next where the device is mounted we can use strings against it.
/dev/sdb = /mnt/usb
we could do - strings /dev/sdb
This will shows us every command in written so might take some searching through...
--------------------------------------------------------------------------------------------------------------------------
alternative is to use xxd and grep out the junk
xxd /dev/sdb | gerp -v "0000 0000 0000 0000 0000 0000 0000 0000"
--------------------------------------------------------------------------------------------------------------------------
A further method is to use regular expressions with Grep if we have something knowledgeable about the files we are looking for.
For example, if we are looking for a flag that is 32 characters long that is also alphanumeric with no spaces then this would be a very specific typ of match that would match much else if anythign at all.
so we could do...
grep -a '[a-Z0-9]\{32\}' /dev/sdb
Output:
root@raspberrypi:/lib/live/mount/persistence/sda2/root# grep -a '[a-Z0-9]\{32\}' /dev/sdb
|}*,.+-3d3e483143ff12ec505d026fa13e020b
We can also use this method to see the whole file content by adding lines before and after to be included in our output.
Output:
root@raspberrypi:/lib/live/mount/persistence/sda2/root# grep -a '[a-Z0-9]\{32\}' -A 2 -B 2 /dev/sdb
+ !9;9Y3
8PP
([" 1YS1Y
<Byc[B)>r &<yZ.Gum^>
1Y
|}*,.+-3d3e483143ff12ec505d026fa13e020b
Damnit! Sorry man I accidentally deleted your files off the USB stick.
Do you know if there is any way to get them back?
root@raspberrypi:/lib/live/mount/persistence/sda2/root#
--------------------------------------------------------------------------------------------------------------------------
Another method is by using "binwalk"
First check we have a few files..
dd
dcfldd - a more forensic version of dd
Next we logout of our ssh session and run...
ssh pi@IP "sudo dcfldd if=/dev/sdb | gzip -1 -" | dcfldd of=pi.dd.gz
This will login over ssh, take the contents of /dev/sdb and zip up the output.
we should have a file now call "pi.dd.gz" in the working directory of the box.
root@kali:/hacking/htb/boxes/10.10.10.48-MIRAI# ssh pi@10.10.10.48 "sudo dcfldd if=/dev/sdb | gzip -1 -" |dcfldd of=pi.dd.gz
pi@10.10.10.48's password:
256 blocks (8Mb) written.
320+0 records in
320+0 records out
0+3 records in
1+1 records out
--------------------------------------------------------------------------------------------------------------------------
Another method is by using "binwalk"
First check we have a few files..
dd
dcfldd - a more forensic version of dd
Next we logout of our ssh session and run...
ssh pi@IP "sudo dcfldd if=/dev/sdb | gzip -1 -" | dcfldd of=pi.dd.gz
This will login over ssh, take the contents of /dev/sdb and zip up the output.
we should have a file now call "pi.dd.gz" in the working directory of the box.
root@kali:/hacking/htb/boxes/10.10.10.48-MIRAI# ssh pi@10.10.10.48 "sudo dcfldd if=/dev/sdb | gzip -1 -" |dcfldd of=pi.dd.gz
pi@10.10.10.48's password:
256 blocks (8Mb) written.
320+0 records in
320+0 records out
0+3 records in
1+1 records out
This is good...
Next we look in our local directory and find the file 'pi.dd.gz'
root@local:/opt/# ls | grep "pi.*"
pi.dd.gz
next we decompress it..
gunzip -d pi.dd.gz
now we binwalk it
binwalk -Me pi.dd.gz
This creates a new local directory with the contents discovered.
We search through the directories and find the same information
Directory looks similar to this "/_pi.dd.extracted"
No comments:
Post a Comment