Name: Patil Mohit Manoj

Class: BE Computer - B

 Batch: B-1

Roll No: 12

DOP: 31/03/2023 DOC: 31/03/2023

8. STUDY OF FORENSICS TOOLS IN KALI LINUX

Forensic image tools: ddrescue

Rescue Hardware :

• Linux system with GNU ddrescue (gddrescue on Ubuntu), the drive you are rescuing, and a device with an empty partition at least 1.5 times as large as the partition you are rescuing, so you have plenty of headroom. Run out of room, even if it’s just a few bytes, GNU ddrescue will fail at the very end.

• There are a couple of ways to set this up. One way is to mount the sick drive on your Linux system, which is easy if it’s an optical disk or USB device. For SATA and SDD drives, USB adapters are inexpensive and easy to use. I prefer bringing the sick device to my good reliable Linux system and not hassling with bootloaders and strange hardware. I keep a spare SATA drive in a portable USB enclosure for storing the rescued data.

• Another way is to boot up the system that hosts the dying drive with your SystemRescueCD (or whatever rescue distro you prefer), and connect your rescue storage drive.

$ findmnt -D

SOURCE     FSTYPE            SIZE   USED  AVAIL USE% TARGET

udev       devtmpfs          7.7G      0   7.7G   0% /dev

tmpfs      tmpfs             1.5G   9.6M   1.5G   1% /run

/dev/sda3  ext4             36.6G  12.2G  22.4G  33% /

tmpfs      tmpfs             7.7G   1.2M   7.7G   0% /dev/shm

tmpfs      tmpfs               5M     4K     5M   0% /run/lock

tmpfs      tmpfs             7.7G      0   7.7G   0% /sys/fs/cgroup

/dev/sda4  ext2             18.3G    46M  17.4G   0% /tmp

/dev/sda2  ext2              939M 119.1M 772.2M  13% /boot

/dev/sda6  ext4              1.8T 505.4G   1.2T  28% /home

tmpfs      tmpfs             1.5G    44K   1.5G   0% /run/user/1000

gvfsd-fuse fuse.gvfsd-fuse      0      0      0    - /run/user/1000/gvfs

/dev/sdd1  vfat             14.6G     8K  14.6G   0% /media/carla/100MB

/dev/sdc1  vfat            243.8M    40K 243.7M   0% /media/carla/50MB

/dev/sdb4  ext4              1.8T   874G 859.3G  48% /media/carla/8c670f2e-

   dae3-4594-9063-07e2b36e609e

Basic Rescue

Allrightythen, we’ve spent enough time figuring out how to know which drive is which. Let’s say that GNU ddrescue is on /dev/sda1, the damaged drive is /dev/sdb1, and we are copying it to /dev/sdc1. The first command copies as much as possible, without retries. The second command goes over the damaged filesystem again, and makes three retries to copy everything. The logfile is on the root filesystem, which I think is a better place than the removable media, but you can put it anywhere you want:

$ sudo ddrescue -f --no-split /dev/sdb1 /dev/sdc1 logfile

$ sudo ddrescue -f -r3 /dev/sdb1 /dev/sdc1 logfile

Output:

$ sudo ddrescue -d /dev/sdb backup.img backup.logfile

pdf-parser 

This tool will parse a PDF document to identify the fundamental elements used in the analyzed file. It will not render a PDF document.

root@kali:~# pdf-parser -h

Usage: pdf-parser [options] pdf-file|zip-file|url

pdf-parser, use it to parse a PDF document

Options:

  --version             show program's version number and exit

  -h, --help            show this help message and exit

  -s SEARCH, --search=SEARCH

                        string to search in indirect objects (except streams)

  -f, --filter          pass stream object through filters (FlateDecode,

                        ASCIIHexDecode, ASCII85Decode, LZWDecode and

                        RunLengthDecode only)

  -o OBJECT, --object=OBJECT

                        id of indirect object to select (version independent)

  -r REFERENCE, --reference=REFERENCE

                        id of indirect object being referenced (version

                        independent)

  -e ELEMENTS, --elements=ELEMENTS

                        type of elements to select (cxtsi)

  -w, --raw             raw output for data and filters

  -a, --stats           display stats for pdf document

  -t TYPE, --type=TYPE  type of indirect object to select

  -v, --verbose         display malformed PDF elements

  -x EXTRACT, --extract=EXTRACT

                        filename to extract malformed content to

  -H, --hash            display hash of objects

  -n, --nocanonicalizedoutput

                        do not canonicalize the output

  -d DUMP, --dump=DUMP  filename to dump stream content to

  -D, --debug           display debug info

  -c, --content         display the content for objects without streams or

                        with streams without filters

  --searchstream=SEARCHSTREAM

                        string to search in streams

  --unfiltered          search in unfiltered streams

  --casesensitive       case sensitive search in streams

  --regex               use regex to search in streams

Output:

$ sudo pdf-parser -o 10 file.pdf