Practical 8

Name : Premsagar Manoj Pawar

Subject : Cyber Security Lab

Class : BE Computer

Section : B

Roll No : 30

Aim: Study of Forensics Tools in Kali Linux.

Forensic image tools:

ddrescue It copies data from one file or block device (hard disc, cdrom, etc.) to another, trying to rescue the good parts first in case of read errors.

The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an error, stop the program, restart it from a new position, etc.

If you use the mapfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also, you can interrupt the rescue at any time and resume it later at the same point. The mapfile is an essential part of ddrescue's effectiveness.

dd_rescue infilepath outfilepath

Rescue Hardware :

Linux system with GNU ddrescue (gddrescue on Ubuntu), the drive you are rescuing, and a device with an empty partition at least 1.5 times as large as the partition you are rescuing, so you have plenty of headroom. Run out of room, even if it’s just a few bytes, GNU ddrescue will fail at the very end.

There are a couple of ways to set this up. One way is to mount the sick drive on your Linux system, which is easy if it’s an optical disk or USB device. For SATA and SDD drives, USB adapters are inexpensive and easy to use. I prefer bringing the sick device to my good reliable Linux system and not hassling with bootloaders and strange hardware. I keep a spare SATA drive in a portable USB enclosure for storing the rescued data.

Another way is to boot up the system that hosts the dying drive with your SystemRescueCD (or whatever rescue distro you prefer), and connect your rescue storage drive.

Identify Drive Names:

As of two 1.8TB drives. One has the root filesystem and my home directory, and the other is an extra data storage drive. lsblk accurately identifies the Compact Flash drive, an SD card, and the optical drive (sr0, iHAS424 identifies a Lite-On optical drive). If this doesn’t help you identify your drives then try findmnt:

$ findmnt -D

SOURCE FSTYPE SIZE USED AVAIL USE% TARGET

udev devtmpfs 7.7G 0 7.7G 0% /dev

tmpfs tmpfs 1.5G 9.6M 1.5G 1% /run

/dev/sda3 ext4 36.6G 12.2G 22.4G 33% /

tmpfs tmpfs 7.7G 1.2M 7.7G 0% /dev/shm

tmpfs tmpfs 5M 4K 5M 0% /run/lock

tmpfs tmpfs 7.7G 0 7.7G 0% /sys/fs/cgroup

/dev/sda4 ext2 18.3G 46M 17.4G 0% /tmp

/dev/sda2 ext2 939M 119.1M 772.2M 13% /boot

/dev/sda6 ext4 1.8T 505.4G 1.2T 28% /home

tmpfs tmpfs 1.5G 44K 1.5G 0% /run/user/1000

gvfsd-fuse fuse.gvfsd-fuse 0 0 0 - /run/user/1000/gvfs

/dev/sdd1 vfat 14.6G 8K 14.6G 0% /media/carla/100MB

/dev/sdc1 vfat 243.8M 40K 243.7M 0% /media/carla/50MB

/dev/sdb4 ext4 1.8T 874G 859.3G 48% /media/carla/8c670f2e-

dae3-4594-9063-07e2b36e609e

This shows that /dev/sda3 is my root filesystem, and everything in /media is external to my root filesystem.

/media/carla/100MB2 and /media/carla/50MB have labels instead of UUIDs like /media/carla/8c670f2e-dae3-4594-9063-07e2b36e609e because I always give my USB sticks descriptive filesystem labels. You can do this for any filesystem, for example I could label the root filesystem this way:

$ sudo e2label /dev/sda3 rootdonthurtmeplz

Run sudo e2label [device] to see your nice new label. e2label is for ext2/ext3/ext4, and XFS, JFS, BtrFS, and other filesystems have different commands. The easy way is to use GParted; unmount the filesystem and then you can apply or change the label without having to look up the command for each filesystem.

Basic Rescue

The first command copies as much as possible, without retries. The second command goes over the damaged filesystem again, and makes three retries to copy everything. The logfile is on the root filesystem, which I think is a better place than the removable media,

$ sudo ddrescue -f --no-split /dev/sdb1 /dev/sdc1 logfile

$ sudo ddrescue -f -r3 /dev/sdb1 /dev/sdc1 logfile

To copy an entire drive use just the drive name, for example /dev/sdb and don’t specify a partition.

If you have any damaged files that ddrescue could not completely recover you’ll need other tools to try to recover them, such as Testdisk, Photorec, Foremost, or Scalpel. The Arch Linux wiki has a nice overview of file recovery tools.

PDF Forensics Tools:

pdf-parser pdf-parser is a tool that parses a PDF document to identify the fundamental elements used in the analyzed pdf file. Generally, this is used for pdf files that you suspect has a script embedded in it.

pdf-parser -o 10 filepath where "-o" is the number of objects.

pdf-parser – Parses PDF files to identify fundamental element

root@kali:~# pdf-parser -h

Usage: pdf-parser [options] pdf-file|zip-file|url

pdf-parser, use it to parse a PDF document

Options:

--version show program's version number and exit

-h, --help show this help message and exit

-s SEARCH, --search=SEARCH

string to search in indirect objects (except streams)

-f, --filter pass stream object through filters (FlateDecode,

ASCIIHexDecode, ASCII85Decode, LZWDecode and

RunLengthDecode only)

-o OBJECT, --object=OBJECT

id of indirect object to select (version independent)

-r REFERENCE, --reference=REFERENCE

id of indirect object being referenced (version

independent)

-e ELEMENTS, --elements=ELEMENTS

type of elements to select (cxtsi)

-w, --raw raw output for data and filters

-a, --stats display stats for pdf document

-t TYPE, --type=TYPE type of indirect object to select

-v, --verbose display malformed PDF elements

-x EXTRACT, --extract=EXTRACT

filename to extract malformed content to

-H, --hash display hash of objects

-n, --nocanonicalizedoutput

do not canonicalize the output

-d DUMP, --dump=DUMP filename to dump stream content to

-D, --debug display debug info

-c, --content display the content for objects without streams or

with streams without filters

--searchstream=SEARCHSTREAM

string to search in streams

--unfiltered search in unfiltered streams

--casesensitive case sensitive search in streams

--regex use regex to search in streams

ddrescue :

pdf-parser :