Embedded Files
Name:- Mrunal Anil Patil
Class:- B.E. (B)
Subject:- Cyber Security Lab
Roll No:- 06
Aim: Study of Forensics Tools in Kali Linux
Forensic image tools: ddrescue
It copies data from one file or block device (hard disc, cdrom, etc.) to another, trying to rescue the good parts first in case of read errors.
The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, restart it from a new position, etc.
If you use the mapfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also, you can interrupt the rescue at any time and resume it later at the same point.
The mapfile is an essential part of ddrescue's effectiveness.
dd_rescue infilepath outfilepath
PDF Forensics Tools: pdf-parser
pdf-parser is a tool that parses a PDF document to identify the fundamental elements used in the analyzed pdf file.
Generally, this is used for pdf files that you suspect has a script embedded in it.
pdf-parser -o 10 filepath
where "-o" is the number of objects.
GNU ddrescue is a data recovery tool. It copies data from one file or block device (hard disc, cdrom, etc) to another, trying to rescue the good parts first in case of read errors.
The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, restart it from a new position, etc.
If you use the mapfile feature of ddrescue, the data are rescued very efficiently, (only the blocks needed are read). Also you may interrupt the rescue at any time and resume it later at the same point. The mapfile is an essential part of ddrescue's effectiveness. Use it unless you know what you are doing.
Ddrescue does not write zeros to the output when it finds bad sectors in the input, and does not truncate the output file if not asked to. So, every time you run it on the same output file, it tries to fill in the gaps without wiping out the data already rescued.
Automatic merging of backups: If you have two or more damaged copies of a file, cdrom, etc, and run ddrescue on all of them, one at a time, with the same output file, you will probably obtain a complete and error-free file. This is so because the probability of having the same area damaged in all copies is low (if the errors are randomly located). Using the mapfile, only the blocks needed are read from the second and successive copies.
Ddrescue recommends lzip for compression of backups because the lzip format is designed for long-term archiving and provides data recovery capabilities which nicely complement those of ddrescue. (Ddrescue fills unreadable sectors with data from other copies, while lziprecover corrects corrupt sectors with data from other copies). If the cause of file corruption is damaged media, the combination ddrescue + lziprecover is the best option for recovering data from multiple damaged copies. See lziprecover-example.
Because ddrescue needs to read and write at random places, it only works on seekable (random access) input and output files.
If your system supports it, ddrescue can use direct disc access to read the input file, bypassing the kernel cache.
Ddrescue also features a 'fill mode' able to selectively overwrite parts of the output file, which has a number of interesting uses like wiping data, marking bad areas, or even, in some cases, "repair" damaged sectors.
One of the great strengths of ddrescue is that it is interface-agnostic, and so can be used for any kind of device supported by your kernel (ATA, SATA, SCSI, old MFM drives, floppy discs, or even flash media cards like SD).
Basic concepts
Block
Any amount of data. A block is described by its starting position and its size. The starting position (or beginning position) is the lowest position in the block. The end of the block is its starting position plus its size.
Cluster
Group of consecutive sectors read or written in one go.
Device
Piece of hardware containing data. Hard disc drives, cdrom drives, USB pendrives, are devices. /dev/hda, /dev/sdb, are device names.
File
Files are named units of data which are stored by the operating system for you to retrieve later by name. Devices and partitions are accessed by means of their associated file names.
Partition
Every part in which a device is divided. A partition normally contains a file system. /dev/hda1, /dev/sdb3, are partition names.
Recoverable formats
As ddrescue uses standard library functions to read data from the device being rescued, only mountable device formats can be rescued with ddrescue. CD-ROMs and DVDs can be rescued, "compact disc digital audio" CDs can't, "video CDs"[1] maybe.
Rescue domain
Block or set of blocks to be acted upon (rescued, listed, etc). You may define it with the options '--input-position', '--size', and '--domain-mapfile'. The rescue domain defaults to the whole input file or mapfile. If ddrescue can't determine the size of the input file, the rescue domain defaults to the maximum size of a block (at least 2^63 - 1 bytes, or 8 EiB minus 1 byte).
Ddrescue will never try to read any data outside of the rescue domain except when unaligned direct disc access is requested (see Direct disc access). If it does, please, report it as a bug.
The amount of data rescued, number of bad areas, etc, shown by ddrescue may vary or even become zero if you limit the rescue domain. Don't worry, they have not disappeared; they are simply out of the specified rescue domain.
Sector
Hardware block. Smallest accessible amount of data on a device.
Using ddrescue safely
Ddrescue is like any other power tool. You need to understand what it does, and you need to understand some things about the machines it does those things to, in order to use it safely.
Never try to rescue a r/w mounted partition. The resulting copy may be useless. It is best that the device or partition to be rescued is not mounted at all, not even read-only.
Never try to repair a file system on a drive with I/O errors; you will probably lose even more data.
If you use a device or a partition as destination, any data stored there will be overwritten.
Some systems may change device names on reboot (e.g. udev enabled systems). If you reboot, check the device names before restarting ddrescue.
If you interrupt the rescue and then reboot, any partially copied partitions should be hidden before allowing them to be touched by any operating system that tries to mount and "fix" the partitions it sees.
Page updated
Google Sites
Report abuse