partitioning,  anti-virus  and  other  tools),  while  the

Conversely, the Forensics OSs “market” is still flourishing: besides the fact
that  many  pentest  distros  include  dedicated  toolsets,  entire  operating  systems
exclusively designed for such practice are also available. You can use purpose-
specific  distros  (we  will  listen  them  shortly)  or  create  your  own.  Most
importantly, however, the OS should never impact the target disk.
Although you can mitigate such risk using Write Blocker
[138]
 (a  tool  laying
between  the  computer  and  the  Hard  Disk  that  blocks  any  disk  alteration),  you
should  consider  a  distro  with  the  RAM  usage  feature.  Using  the  RAM  mode  –
usually listed as a boot loader option – you can access any memory attached to
the  system  in  read-only  mode,  preventing  any  disk  alteration;  consider  this
practice as mandatory, since a Write Blocker may cost more than 500 $ – and I
guess  not  everyone  would  likely  invest  such  amount  of  money.  In  the  IT  sec,
CAINE
[139]
is the most popular one: a 100% Italian Ubuntu-based distro, which
is also used by the law enforcers, since it provides results that can be used in the
court. The development is managed by Nanni Bassetti, the project founder who
keeps on updating the distro together with the online community.
Tip: For the aforementioned reasons, we will use a GNU/Linux designed for
Computer  Forensics.  However,  Windows  user  can  use  another  good  and
effective  tool:  Recuva  (
www.piriform.com/recuva
),  produced  by  Piriform  (the
same authors of CCleaner) and available online for free. The difference between
a software and a GNU/Linux distro lays in the type of approach you are looking
for:  in  this  case,  we  will  refer  to  Live  Forensics  instead  of  Post  Mortem
Forensics.
8.1.2 Caine OS
CAINE OS is actually a GNU/Linux distro designed to work in Live mode,
loaded from a USB drive or a DVD. In this guide, we will make a limited use of
it,  since  our  only  purpose  is  to  verify  the  presence  of  files  and  partitions  we
expect  to  be  removed.  CAINE  does  integrate  professional  verification  and
reporting  tools  to  provide  irrefutable  evidence  to  the  court  –  something  quite
unnecessary in the scope of our course. On the next pages, we will use CAIN to
test  some  software  in  the  distro;  however,  if  you  need  you  can  directly  install
them on Debian (on your personal distro) and do your testing from there. You’ll
lose the joy of discovery, but it’s a good alternative anyway. CAINE also offers a
mount in read-only logic: meaning that you have to choose the partition to mount
BEFORE  you  can  use  it,  avoiding  to  compromise  the  areas  you’re  going  to

recover.
8.1.2.1 TestDisk or PhotoRec, which one?
TestDisk is a tool designed to recover entire partitions that have been deleted
from a hard disk. Besides this outstanding feature, it also offers corrupted boot
sectors recovery with FAT and NTFS file systems and the Master File Table on
NTFS  partitions.  The  tool  comes  with  no  GUI,  being  command-line  only,
although  it’s  quite  easy  to  use,  so  it  shouldn’t  be  a  problem.  Our  purpose,
however, is to verify if the file in the hard disk were deleted; we don’t need to
recover corrupted partitions. We only want to ensure that, once a file is deleted,
no visible traces are left behind. PhotoRec is a TestDisk complementary tool that
allows  to  recover  files,  documents,  videos,  images  and  more  from  external  or
internal  storage  devices.  The  special  feature  of  PhotoRec  is  that  it  works
independently  from  the  file  system,  and  does  not  directly  run  in  write  mode,
ensuring the integrity of the storage under test and avoiding any dreadful sector-
rewrite  error  in  the  partition.  The  drive  must  always  stay  in  read  mode:  if  you
write  even  a  single  piece  of  data  into  the  storage  space,  you  may  irreversibly
compromise the data recovery. PhotoRec is available for any operating  system,
including:  Dos/Win9x,  Windows  (32/64-bit),  Linux  (32/64-bit),  OSX/macOS
(Intel/PowerPC), *BSD; it is also available in the package format with TestDisk
for free from the official site
[140]
. Furthermore, you can use it over a vast array of
file systems: exFAT/FATx, NTFS, ext2/ext3/ext4, HFS+; I also want to add btrfs
that, although not officially supported, seems to work quite well. You can use it
over  any  standard  external  media,  as  long  as  the  operating  system  recognizes
them and can access their content. The tool can read (almost) any format, from
the classic JPEG/PNG/ZIP/PDF to the rarest LZO/XAR/PPM/RA and up to the
proprietary ones like PSD/MHBD/MAX/GI and so on
[141]
.
8.1.2.2 PhotoRec Mini Use Guide
PhotoRec comes in two versions: GUI and CLI. Obviously, the GUI version
is easier, since it can manage everything from the graphical interface. If it’s not
pre-installed  on  your  distro,  you  should  find  QPhotoRec  (PhotoRec  GUI
version)  among  the  installable  programs.  In  that  case,  proceed  using  the
terminal:
$ sudo apt-get install qphotorec

Allow the installation to complete, then find the program among the installed
tools; if you can’t find it, open the terminal again and type:
$ sudo qphotorec
The program will appear as in Figure 36.
Figure 36: initial screen of QPhotorec, GUI version
If you can’t see the target partition, you have to select the disk containing it.
Select the destination partition, the File System type, the Free/Whole scan (Free
will do in our case) and choose the path where the results will be saved using the
“Browse”  button.  You’ll  just  have  to  wait  for  the  program  to  finish  the  drive
scan! If you prefer the good old terminal, first of all ensure that the latest version
is installed:
$ sudo apt-get install photorec

If  you  can  find  the  program  in  the  Operating  System,  proceed  launching  it
with the command:
$ sudo photorec
As  we  already  seen,  we  evoked  sudo  again,  since  we  need  to  ensure  that
PhotoRec is launched in admin mode. Now you can see a screen listing all the
disk discovered in the system (Figure 37).
Figure 37: initial screen of Photorec, text version
Choose  one  using  the  Up/Down  keys,  select  it  with  Enter  or,  in  case  of
errors, press the Q key.
Figure 38: choosing a partition of the entire disk
Now, choose the target partition (Figure 38). Selecting Whole Disk, you will
recover the full disk. Choose the type of file system in use (Figure 39).
Figure 39: choosing the type of file system in use
If  you  selected  a  partition,  you  will  be  prompted  if  you  wish  to  look  up

across the whole partition or the blank sectors only (Figure 40).
Figure 40: choosing the type of scan to perform
Now  you’re  ready  to  select  the  folder  where  your  search  will  be  saved
(Figure  41).  Remember  that  the  keys  used  above  also  apply  here  (in  particular,
Enter  to  access  a  folder  and  Q  to  go  back),  with  the  addition  of  the  C  key  to
select the folder (and sub-folders) where you wish to work (if you accessed the
wrong folder, go back by clicking the two dots at the beginning of the list).
Figure 41: choosing the path where the recovery results will be stored
If everything went as planned, the software will start digging into the desired

Download 2,32 Mb.

Do'stlaringiz bilan baham: