hacktricks/forensics/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md

128 lines
6.5 KiB
Markdown
Raw Normal View History

2022-05-01 16:32:23 +00:00
2022-04-28 16:01:33 +00:00
<details>
2023-04-05 12:02:54 +00:00
<summary><strong>HackTricks in </strong><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
2022-04-28 16:01:33 +00:00
2022-12-05 22:29:21 +00:00
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
2022-04-28 16:01:33 +00:00
</details>
2022-05-01 16:32:23 +00:00
# Carving & Recovery tools
2021-05-28 17:53:46 +00:00
More tools in [https://github.com/Claudio-C/awesome-datarecovery](https://github.com/Claudio-C/awesome-datarecovery)
2022-05-01 16:32:23 +00:00
## Autopsy
2021-05-28 17:53:46 +00:00
The most common tool used in forensics to extract files from images is [**Autopsy**](https://www.autopsy.com/download/). Download it, install it and make it ingest the file to find "hidden" files. Note that Autopsy is built to support disk images and other kinds of images, but not simple files.
2021-05-28 17:53:46 +00:00
2022-05-01 16:32:23 +00:00
## Binwalk <a href="#binwalk" id="binwalk"></a>
2021-05-28 17:53:46 +00:00
2021-11-30 16:46:07 +00:00
**Binwalk** is a tool for searching binary files like images and audio files for embedded files and data.\
It can be installed with `apt` however the [source](https://github.com/ReFirmLabs/binwalk) can be found on github.\
2021-05-28 17:53:46 +00:00
**Useful commands**:
```bash
sudo apt install binwalk #Insllation
binwalk file #Displays the embedded data in the given file
binwalk -e file #Displays and extracts some files from the given file
binwalk --dd ".*" file #Displays and extracts all files from the given file
```
2022-05-01 16:32:23 +00:00
## Foremost
2021-05-28 17:53:46 +00:00
Another common tool to find hidden files is **foremost**. You can find the configuration file of foremost in `/etc/foremost.conf`. If you just want to search for some specific files uncomment them. If you don't uncomment anything foremost will search for its default configured file types.
2021-05-28 17:53:46 +00:00
```bash
sudo apt-get install foremost
foremost -v -i file.img -o output
#Discovered files will appear inside the folder "output"
```
2022-05-01 16:32:23 +00:00
## **Scalpel**
2021-05-28 17:53:46 +00:00
**Scalpel** is another tool that can be used to find and extract **files embedded in a file**. In this case, you will need to uncomment from the configuration file (_/etc/scalpel/scalpel.conf_) the file types you want it to extract.
2021-05-28 17:53:46 +00:00
```bash
sudo apt-get install scalpel
scalpel file.img -o output
```
2022-05-01 16:32:23 +00:00
## Bulk Extractor
2021-05-28 17:53:46 +00:00
2021-11-30 16:46:07 +00:00
This tool comes inside kali but you can find it here: [https://github.com/simsong/bulk\_extractor](https://github.com/simsong/bulk\_extractor)
2021-05-28 17:53:46 +00:00
This tool can scan an image and will **extract pcaps** inside it, **network information (URLs, domains, IPs, MACs, mails)** and more **files**. You only have to do:
2021-05-28 17:53:46 +00:00
```
2021-05-28 17:53:46 +00:00
bulk_extractor memory.img -o out_folder
```
2021-11-30 16:46:07 +00:00
Navigate through **all the information** that the tool has gathered (passwords?), **analyse** the **packets** (read[ **Pcaps analysis**](../pcap-inspection/)), search for **weird domains** (domains related to **malware** or **non-existent**).
2021-05-28 17:53:46 +00:00
2022-05-01 16:32:23 +00:00
## PhotoRec
2021-05-28 17:53:46 +00:00
2021-11-30 16:46:07 +00:00
You can find it in [https://www.cgsecurity.org/wiki/TestDisk\_Download](https://www.cgsecurity.org/wiki/TestDisk\_Download)
2021-05-28 17:53:46 +00:00
It comes with GUI and CLI versions. You can select the **file-types** you want PhotoRec to search for.
2021-05-28 17:53:46 +00:00
![](<../../../.gitbook/assets/image (524).png>)
2021-05-28 17:53:46 +00:00
2022-05-01 16:32:23 +00:00
## binvis
2022-02-23 15:32:10 +00:00
Check the [code](https://code.google.com/archive/p/binvis/) and the [web page tool](https://binvis.io/#/).
2022-05-01 16:32:23 +00:00
### Features of BinVis
2022-02-23 15:32:10 +00:00
* Visual and active **structure viewer**
* Multiple plots for different focus points
* Focusing on portions of a sample
* **Seeing stings and resources**, in PE or ELF executables e. g.
* Getting **patterns** for cryptanalysis on files
* **Spotting** packer or encoder algorithms
* **Identify** Steganography by patterns
* **Visual** binary-diffing
2022-02-23 15:32:10 +00:00
BinVis is a great **start-point to get familiar with an unknown target** in a black-boxing scenario.
2022-05-01 16:32:23 +00:00
# Specific Data Carving Tools
2021-05-28 17:53:46 +00:00
2022-05-01 16:32:23 +00:00
## FindAES
2021-05-28 17:53:46 +00:00
Searches for AES keys by searching for their key schedules. Able to find 128. 192, and 256 bit keys, such as those used by TrueCrypt and BitLocker.
Download [here](https://sourceforge.net/projects/findaes/).
2022-05-01 16:32:23 +00:00
# Complementary tools
2021-05-28 17:53:46 +00:00
You can use [**viu** ](https://github.com/atanunq/viu)to see images from the terminal.\
2021-05-28 17:53:46 +00:00
You can use the linux command line tool **pdftotext** to transform a pdf into text and read it.
2022-04-28 16:01:33 +00:00
2022-05-01 16:32:23 +00:00
2022-04-28 16:01:33 +00:00
<details>
2023-04-05 12:02:54 +00:00
<summary><strong>HackTricks in </strong><a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
2022-04-28 16:01:33 +00:00
2022-09-09 11:28:04 +00:00
- **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
2022-04-28 16:01:33 +00:00
2022-12-05 22:29:21 +00:00
- **Share your hacking tricks by submitting PRs to the [hacktricks repo](https://github.com/carlospolop/hacktricks) and [hacktricks-cloud repo](https://github.com/carlospolop/hacktricks-cloud)**.
2022-04-28 16:01:33 +00:00
</details>
2022-05-01 16:32:23 +00:00