Upload
carlos-cajigas
View
219
Download
2
Embed Size (px)
DESCRIPTION
Article on how to use testdisk to recover file data from a corrupt drive and/or volume with Linux Ubuntu
Citation preview
Use Testdisk to Recover Data from a
Corrupt drive with Linux Ubuntu 12.04
Carlos Cajigas MSc, EnCE, CFCE, CDFE, A+
Recently, while examining an image with the contents of an external hard drive in
an exploitation case, we ran into some difficulty viewing the data on the drive at a logical
level. No matter the forensic tool we used, we were unable to mount the partitions in
the image so that we could see the directory structure of the volume. After some
analysis we discovered that the master boot record (MBR) was corrupt. Viewing the
directory structure of a volume in a drive with a corrupt MBR is not impossible, but often
it will not happen until the partition table is fixed. Fixing the partition table in the image
or on a restored drive would mean changing the original evidence. We wanted to see
the directory structure without changing any data, and we found a program that does
just that. We wrote this article to talk about the tool that we used to accomplish this.
We hope that someday it can help you too.
Although not as user-friendly as the commercial tools, the program Testdisk will
allow you to accomplish the same tasks as the more expensive counterparts. We like
this tool, because it can recover lost partitions and repair boot sectors from many
different file systems normally found in Windows, Mac, and Linux. Testdisk is powerful
and free. It comes preinstalled in Linux Live CD''s like Blackbuntu.
You can use a live CD bundled with Testdisk to accomplish this task, but for the
purposes of this article I used an examination computer with Ubuntu 12.04 installed on
it.
The goal
The plan is to recreate the steps that will lead to a disk becoming corrupt. We
are going to write data to a volume, we will damage the disk's partition table, and finally
we will use Testdisk to recover the data from the corrupt disk, without fixing the disk.
Installing the tools:
All of the tools that we will use are either included in Ubuntu by default, or can be
downloaded from the Ubuntu Software Center. The tools that we will need to recreate
the test are shred, DD, hexedit, gparted, and tesdisk. Shred and DD are already in
Ubuntu, so lets head over to the Ubuntu Software Center for the other tools.
Click on the Dash Home circle, located on the top left of your screen, type in
“software” and click on the Ubuntu Software Center icon that will appear.
After the Ubuntu Software Center opens, you will see a search box on the top-
right corner of your screen. Type “hexedit” and click on the install button. You will be
prompted for your root password. Enter your root password and wait for the program to
install.
Once hexedit is installed, search for gparted and testdisk. Install gparted and
testdisk as well.
Now that you have the tools that we need, close the Ubuntu Software Center.
The next step is to prepare a working folder for our files. Go to your desktop, right click
on your desktop and select “create new folder”, name it “Test”. Copy any two small files
into it. I chose two small txt files, one named TEST1.txt and the other TEST2.txt.
The test
To recreate the test I will be using a 256MB Flash Drive. Pretty small huh... I
have had it for over ten years and I paid $100 for it back then. When testing software,
smaller drives take less time to wipe.
Since we are going to be adding data to this media and then examining it, we
should sterilize it. Sterilizing a drive is the process of writing a known hex value to every
sector of a piece of media so that it can overwrite any and all data that previously
resided on that piece of media. For the purposes of this article, we will be using the
program Shred. Shred is only run from the command line. Make sure your test media
is inserted into the computer and open a Terminal Window. In Ubuntu you can
accomplish this by pressing Ctrl-Alt-T at the same time or by going to the Dash Home
and typing in “terminal”.
Once the terminal window is open, Type the following into the terminal to
determine which letter Ubuntu assigned to the test media.
sudo fdisk -l
Fdisk is a partition table manipulator for Linux. The flag -l tells fdisk to list the
partition table. Sudo gives fdisk superuser privileges for the operations. Press enter
and type your root password (if needed).
Ubuntu assigned the media as SDB. SDB1 is the partition currently stored on
the media. Do not pay much attention to it, we will be wiping shortly.
Now that we know the media's drive assignment, type the following into the
terminal to wipe/sterilize it.
sudo shred -v -n 0 -z /dev/sdb
Shred is the wiping program. The flag -v shows the progress, the flag -n
overwrites with random data “n” amount of times instead of the default 3. I wrote a 0,
because I didn't want to overwrite the drive with random data. The -z flag adds a final
overwrite with zeros to hide shredding. For the purposes of this test one overwrite with
zeros is all that we need. Dev/sdb is the test media. Sudo gives Shred superuser
privileges for the operations. Press enter and type your root password (if needed).
Our media has been successfully sterilized by writing zeros to the entire drive,
from the first sector to the last. Now we need to format the media. Remove the media
from the computer and insert it back into the computer. Type the following into the
terminal window.
Sudo gparted
Gparted is a Gnome partition editor for manipulating disk partitions. A gui for
Gparted will open up. Make sure that you select your media, it should be the /dev/sdb
device. Format the media as fat32.
Now that the drive is formatted, copy the two files from the Test folder into the
media.
After the files have been copied, delete one. I chose to delete TEST2.txt.
The test media is now ready. It is ready to be damaged. We will be damaging
the drive by deleting the entire master boot record. The master boot is located in
physical sector 0 of the drive. The MBR contains boot code, the master partition table
and the signature (0x55AA). Without an MBR, partitioned media often becomes
unrecognizable to the operating system. Type the following into the terminal window.
sudo hexedit -s /dev/sdb
Hexedit is a hexeditor for Linux. The flag -s tells hexedit to show one sector at a
time. Sudo gives Hexedit superuser privileges for the operations. Press enter and type
your root password (if needed). This is the MBR of the test media. Look at the bottom
of the terminal window, notice that this is sector 0 of device sdb. Also notice that the
sector ends with the signature 0x55AA.
Now, write 0's to the entire sector. Press F2 to save the changes. After saving
the changes press control and c at the same time to exit.
Now, navigate to the previously created Test folder on the desktop. We will use
the CD command to change directory into the desktop. Type the following into the
terminal.
cd /home/carlos/Desktop/Test/
Replace “carlos” with the name of the user account you are currently logged on
as. After doing so, press enter. You should receive these results.
carlos@XPS-M1330:~$ cd /home/carlos/Desktop/Test/
carlos@XPS-M1330:~/Desktop/Test$
Type the following itno the terminal.
sudo dd if=/dev/sdb of=test.dd
DD is a common Linux program whose primary purpose is the low level copying
and conversion of raw data. The if= tells dd to read from file, and the of= tells dd to
write to file. Sudo gives DD superuser privileges for the operations. Press enter and
type your root password (if needed).
This action will copy all the sectors on the media into a file named test.dd into our
current directory, which is the Test folder.
Now that we have an image of the test media. You can remove the media from
the computer. Type the following into the terminal.
hexedit -s test.dd
We will again use hexedit this time to look at the first sector of the image of the
media that we just created. Look at the bottom of the terminal window, notice that this
is sector 0 of test.dd. Notice.... nothing but zeros. Great!!!
Type the following into the terminal.
sudo testdisk test.dd
We finally get to testdisk. Testdisk is a scan and repair disk partition tool for
Windows, Mac and Linux. It is a terminal based tool that can be manipulated with the
use of the up, down, left and right arrows and enter to proceed. Press Q at any time to
go back or exit the program. Testdisk recognizes physical hard drives in the computer
and well as usb storage devices. Or like in this case, you can point testdisk to your
image file and it will recognize it as well. Click enter to proceed.
Testdisk is going to ask you to select the partition type. For Fat32 and NTFS formatted
drives, select Intel/PC Partition. Press enter to proceed.
Select Analyse and press enter.
Notice that testdisk took a peak at sector 0 and discovered that our image does
not contain a valid MBR. Select quick search and press enter.
I answered yes to this question
Testdisk amazingly found our lost partition. Look at the bottom of the screen,
press P to list the files in the partition.
Testdisk sees the two files we added to the media prior to imaging it. Testdisk is
even able to see the deleted file. From here follow the instructions at the bottom of the
screen to copy out any of the files in your volume.
Conclusion:
Testdisk was able to see the partition even without the existence of a valid
partition table to point to the correct beginning of the volume. This is a powerful tool
that can help you in your investigation like it did for me.
If this procedure worked for your case, and you are able to use it in the course of
your investigation, we would like to hear from you. Please post your comments or email
the author of this article at [email protected]