ComputerSecurityStudent (CSS) [Login] [Join Now]


|FORENSICS >> File Recovery >> Foremost >> Current Page |Views: 25927

(Foremost: Lesson 1)

{ Recovering Pictures from a NTFS File System }

Section 0. Background Information
  1. Foremost 
    • Foremost is a Linux based program data for recovering deleted files and served as the basis for the more modern Scalpel. The program uses a configuration file to specify headers and footers to search for. Intended to be run on disk images, foremost can search through most any kind of data without worrying about the format.
    • http://www.forensicswiki.org/wiki/Foremost

  2. Lab Notes
    • In this lab we will do the following:
      1. Download an NTFS image that contains 7 deleted files.
      2. Use Foremost to extract the 7 deleted files
      3. Mount the NTFS image
      4. Use basic find command to search for hidden file types.

  3. Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • Your are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.

 

Section 1: Start Up the BackTrack5R1 VM
  1. Start Up VMWare Player
    • Instructions:
      1. Click the Start Button
      2. Type Vmplayer in the search box
      3. Click on Vmplayer

     

  2. Open a Virtual Machine
    • Instructions:
      1. Click on Open a Virtual Machine

     

  3. Open the BackTrack5R1 VM
    • Instructions:
      1. Navigate to where the BackTrack5R1 VM is located
      2. Click on on the BackTrack5R1 VM
      3. Click on the Open Button

     

  4. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  5. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

     

  6. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  7. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  8. Bring up the GNOME
    • Instructions:
      1. Type startx

     

  9. Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  10. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.108.
      • In your case, it will probably be different.

 

Section 2: Download NTFS Practice Image
  1. Download Image File
    • Instructions:
      1. mkdir -p /var/tmp/images
      2. cd /var/tmp/images
      3. wget "http://downloads.sourceforge.net/project/dftt/Test%20Images/8_%20JPEG%20Search%20%231/8-jpeg-search.zip?r=&ts=1360866482&use_mirror=iweb" -O 8-jpeg-search.zip
    • Note(FYI):
      • Copy and paste the above wget line instead of retyping it.

     

  2. Unzip Image File
    • Instructions:
      1. ls -l
      2. unzip 8-jpeg-search.zip
      3. cd 8-jpeg-search
      4. ls -l
    • Note(FYI):
      • 8-jpeg-search.dd is the NTFS image file.

 

Section 3: Mount NTFS Practice Image
  1. Mount Up the Image File
    • Instructions:
      1. cd /
      2. mount -t ntfs /var/tmp/images/8-jpeg-search/8-jpeg-search.dd /mnt
      3. df -k
      4. cd /mnt
      5. ls -l
    • Note(FYI):
      • Mounting the image file is not necessary to run foremost.

 

Section 4: Use Foremost to Extract Deleted Files
  1. Use Foremost to Extract Deleted Files
    • Instructions:
      1. cd /var/tmp/images/
      2. foremost -t jpg,gif,png -o restore -v -i /var/tmp/images/8-jpeg-search/8-jpeg-search.dd
        • -t, specifies file types to search for.
        • -o, specifies the name of the recovering directory
        • -v, specifies to run in verbose mode.
        • -i, specifies the image file.
    • Note(FYI):
      • Foremost was able to recover 7 deleted files.

     

  2. Viewing the Recovered Pictures
    • Instructions:
      1. cd restore/
      2. ls -lrta
      3. cd jpg
      4. ls -lrta

     

  3. Start Up the File Browser (a.k.a., nautilus)
    • Instructions:
      1. nautilus .

     

  4. Viewing the Pictures
    • Note(FYI):
      1. As you can see, there are 7 pictures to view.

 

Section 5: Searching For Hidden File Types
  1. Searching For Hidden File Types
    • Instructions:
      1. cd /mnt
      2. file `find . -type f \( -iname "*.*" ! -iname "*.jpg" \)` | grep -i jpeg
        • find - show me all files that do not have a jpg extension.
        • file - determine the file type
        • grep - show me only jpeg files for non-jpg extensions.

     

  2. Viewing the Hidden File Type
    • Instructions:
      1. eog ./alloc/file2.dat

     

Section 6: Proof of Lab
  1. Proof of Lab
    • Instructions:
      1. cd /
      2. df -k | grep /mnt
      3. ls -l /var/tmp/images/restore/jpg
      4. date
      5. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
      6. umount /mnt
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth