Data Recovery for the Absolute Beginner

1
Data Recovery for the Absolute Beginner

• Mike Greenwood
• May 2005

2
Necessity is the mother of invention

• Go to London
• Take holiday photos on digital camera
• Come back home
• Accidentally delete one (or more) photos from
  camera
• Learn Data recovery from scratch

3
Where to Start

• Dont touch anything!
• Generate an image of the whole flash media
• Investigate existing tools
• See what you can make of it for yourself

4
Capturing an image
Plug in Camera to USB port and have a look at
/var/log/messages Apr 16 181205 box SCSI
device sdb 30720 512-byte hdwr sectors (16
MB) Apr 16 181205 box sdb assuming Write
Enabled Apr 16 181205 box sdb assuming drive
cache write through Apr 16 181205 box SCSI
device sdb 30720 512-byte hdwr sectors (16
MB) Apr 16 181205 box sdb assuming Write
Enabled Apr 16 181205 box sdb assuming drive
cache write through Apr 16 181205 box sdb
sdb1 Apr 16 181205 box Attached scsi removable
disk sdb at scsi4, channel 0, id 0, lun 0 Copy
the whole disk to an image file box dd
if/dev/sdb ofcamera.img
5
Inspecting the Image File
Use xxd. Very useful command box xxd camera.img
gt camera.xxd box more camera.xxd 0000000 fabe
007c bf00 7ab9 0001 fc0e 1f0e 07f3
.....z......... 0000010 a5ea 167a 0000 bbbe
7b33 c980 3f80 7506 ...z....3..?.u. 0000020
fec5 8bf3 eb07 803f 0075 02fe c183 c310
.......?.u...... 0000030 81fb fe7b 72e5 83f9
0474 0b81 f903 0174 ...r....t.....t 0000040
0abb a67a eb2c bb87 7aeb 278b 4c02 8b14
...z.,..z.'.L... 0000050 b801 02bb 007c cd13
7305 bbbe 7aeb 132e .......s...z... 0000060
a1fe 7d3d 55aa 7405 bbbe 7aeb 05ea 007c
..U.t...z.... 0000070 0000 2e8a 073c 0074
0c53 bb07 00b4 0ecd .....lt.t.S...... 0000080
105b 43eb edeb fe4e 6f20 626f 6f74 6162
.C....No bootab 0000090 6c65 2070 6172 7469
7469 6f6e 2069 6e20 le partition in 00000a0
7461 626c 6500 496e 7661 6c69 6420 5061
table.Invalid Pa 00000b0 7274 6974 696f 6e20
7461 626c 6500 496e rtition table.In 00000c0
7661 6c69 6420 6f72 2064 616d 6167 6564 valid or
damaged 00000d0 2042 6f6f 7461 626c 6520 7061
7274 6974 Bootable partit 00000e0 696f 6e00
5379 7374 656d 536f 6674 2042 ion.SystemSoft
B 00000f0 6f6f 7420 5061 7274 6974 696f 6e20
5365 oot Partition Se 0000100 6374 6f72 0000
0000 0000 0000 0000 0000 ctor............ 0000110
0000 0000 0000 0000 0000 0000 0000 0000
................
6
Learn about JPEGs
Mount disk and copy off existing files for
reference box mount /dev/sdb1 /mnt/tmp box cd
/mnt/tmp box cp .jpg /home/mbg/pics box umount
/dev/sdb1 Have a look at what a typical .jpg
looks like box xxd 1.jpg gt 1.xxd box more
1.xxd 000d200 ffd8 ffe1 5207 4578 6966 0000 4949
2a00 ....R.Exif..II. 000d210 0800 0000 0a00
0e01 0200 0900 0000 8600 ................ 000d220
0000 0f01 0200 0900 0000 8f00 0000 1001
................ 000d230 0200 0900 0000 9800
0000 1201 0300 0100 ................ 000d240
0000 0100 0000 1a01 0500 0100 0000 a100
................ 000d250 0000 1b01 0500 0100
0000 a900 0000 2801 ..............(. 000d260
0300 0100 0000 0200 0000 3201 0200 1400
..........2..... 000d270 0000 b100 0000 1302
0300 0100 0000 0200 ................ 000d280
0000 6987 0400 0100 0000 c500 0000 4902
..i...........I. 000d290 0000 334d 6567 6143
616d 0033 4d65 6761 ..3MegaCam.3Mega 000d2a0
4361 6d00 334d 6567 6143 616d 0048 0000
Cam.3MegaCam.H.. 000d2b0 0001 0000 0048 0000
0001 0000 0032 3030 .....H.......200 000d2c0
312f 3132 2f31 3320 3231 3a34 393a 3434 1/12/13
214944 000d2d0 0016 009a 8205 0001 0000 00d3
0100 009d ................ 000d2e0 8205 0001
0000 00db 0100 0022 8803 0001 ...........".... 00
0d2f0 0000 0002 0000 0027 8803 0001 0000 0064
.......'.......d 000d300 0000 0000 9007 0004
0000 0030 3231 3003 ...........0210. 000d310
9002 0014 0000 00e3 0100 0004 9002 0014
................
7
The Search for ffd8
Now go back to disk image and search for
"ffd8 Find the following offsets 000d200 00d120
0 019c200 0245200 02f2200 03b7200 0476200 ..
. Now we have the offsets within the disk image,
we can manually chop parts from the file. The -s
switch means skip box xxd -s 0x19c200
camera.img 3.xxd box vi 3.xxd Search for next
occurrence of "ffd8" and cut and paste into .tmp
file
8
Restoring Data
Reverse the hex encoding to get a binary file
back box xxd -r 3.tmp gt 3.dat Not quite
finished. The offsets within the .tmp file are
taken into account Need to strip the leading
0s The -ps option dumps "raw" hex with no offset
info box xxd -ps -s 0x6f9200 3.dat gt 3.tmp box
more 3.tmp ffd8ffe117ab45786966000049492a000800000
00a000e01020009000000 860000000f010200090000008f00
00001001020009000000980000001201 03000100000001000
0001a01050001000000a10000001b01050001000000 ...
9
Finishing Off
Now reverse the encoding again to get a binary
file box xxd -ps -r 3.tmp gt 3.jpg Check all is
well box file 3.jpg 11.jpg JPEG image data,
EXIF standard 2.1, comment "3 Mega Cam"
10
Summary

• Introduced the xxd command
• Little to no knowledge required
• Some luck required
• No file fragmentation
• JPEG format is forgiving of extra data
• More time gives more elegant results