Forensic File Recovery with Linux – Undelete

Want your deleted files back? Plan A: have backups. Plan B: take a disk image and use a tool to undelete your files. If you are doing forensic analysis, file recovery is your only option.
Prequisites: fluency with the command line interface, sudo and package manager.
If you are doing forensic analysis with potentially hostile software, don’t use production machines or computers with sensitive information. This article is just an intro to some technical aspects of filesystem analysis – don’t assume you’re ready for courtroom with just these lines.

Work with Disk Image

When recovering files, always work with a disk image, not the original disk.
To take an image of a disk, boot with a live CD. Connect a drive larger than the drive to be recovered. Take the image of the target disk and save it to the large drive.
For example, to image drive /dev/sda1 to a new file called sda1.dd:

$ sudo dd if=/dev/sda1 of=sda1.dd

Be very careful with dd. Using wrong output file (of) can quickly destroy all your data.

Recover Deleted Files from Image

You can easily extract files from the image, even without mounting it.
Normal mounting would only show normal, allocated files. Undelete tools can recover some of the deleted, unallocated files too. This allows you to see files that were removed from trash or deleted with rm.
For example, you might want to extract files from sda1.dd disk image.
Create folders for extraction

$ mkdir allocated deleted

Recover normal, allocated files

$ tsk_recover -a sda1.dd allocated/
Files Recovered: 7388

Recover deleted, unallocated files

$ tsk_recover sda1.dd deleted/
Files Recovered: 42

Now you can analyze the files with any tools you like.
If you are doing forensic analysis, be careful: never run files that could be hostile.

Analyze the Files

Now you can analyze the files with any tools you like. They are just normal files, so the following are only examples of the unlimited ways you can use command line.
If you are doing forensic analysis, be careful: never run files that could be hostile.
Count files

$ find|wc -l

List filenames

$ find|less

Find files by name

$ find -iname '*tero*'

Search contents of files

$ grep -ir tero *

Show tree of directories

$ tree -d


$ find -type d

Find special files (not normal file and not a directory)

$ find -not -type f -and -not -type d

Find files with uncommon characters in the name. This example uses Perl regular expressions. As your definition of weird filename might vary, modify the pattern accordingly.

$ find * |grep -P '[^\w/\.-]'

Create a timeline with deleted files included.

$ tsk_gettimes sda1.dd >rawtimes
$ mactime -b rawtimes|less

Mounting the Image

Mounting the image is nice when you are working with your own filesystem. It’s not always required when doing forensic analysis.
Mounting the image gives you normal access to allocated files. If there could be hostile applications in the image, remember to use ‘noexec’ and ‘nodev’

$ mkdir sda1/
$ sudo mount -o "loop,nodev,noexec,ro" sda1.dd sda1/

If you mount the image, you can get a timeline of allocated files with

$ sudo find -printf '%T+ M %p\n%A+ A %p\n%C+ C %p\n'|sort|less

This shows a list with MAC times (modified, accessed, status changed). The dates are in pleasant ISO-8601 format, e.g. 2013-06-25.
Deleted files are not available when the image is mounted. If you need timeline with deleted files, see tsk_gettimes above.


Tested with Xubuntu 12.04 LTS.
Edited. Multiple times.

Posted in Uncategorized | Tagged , , , , , , , , , , , , , , , , , , , | Comments Off on Forensic File Recovery with Linux – Undelete

Comments are closed.