The average person thinks that deleting the files or even formatting the hard-drive and removable devices is enough to make data unrecoverable. This is a common misconception, in fact deleting a file does not delete any information but just the pointer that the operating system uses to build the file and the directory structure. Deleting those pointers, only changes the file status which become invisible to the operating system but it is still there (on the hard drive) until it is not overwritten by another file or done with a dedicated wiping software. With sophisticated forensic techniques it’s still possible to determine which wiping tools have been used or which file name was deleted. In this post I will show you how it’s possible to recover (in a few minutes), some deleted files from a common usb key. After downloading the software PhotoRec (for linux) we can plug our usb key (where previously we have copied and deleted some files and even formatted the key) and then move in the directory /testdisk-6.9/linux , where you will find the binary called photorec_static .

type ./photorec_static and follow the instructions

screenshot 1
screenshot 2
screenshot 3
screenshot 4
screenshot 5
screenshot 6
screenshot 7

After that, the process is over, I’ve moved in the dir recup_dir.1 where I’ve found 2 files recovered from the usb key; one is the txt file where I’ve written some fake usernames and passwords and the other is Advanced Bash-Scripting Guide .pdf, just the ones that I’ve copied and deleted from the key before that I’ve started the test. Scary ?

To avoid the leak of your sensitive information through a data recovery, there are several programs available to overwrite entire hard disks, usb keys, or single files to make them unrecoverable with data recovery techniques.

for Linux:
dban.sourceforge.net
wipe
secure-delete
shred

for Windows:
www.fileshredder.org

for Mac:
Secure Empty Trash
Eraser Pro

Before selling or giving away an old computer, hard drive or lending out your usb key, just think about how much juicy information can be recovered.

Note: you can use this commands to grab and store in a different location the file previously recovered .


find recup_dir.* \( -name \*.bmp -o -name \*.gif -o -name \*.png -o -name \*.jpg \) | xargs -I '{}' mv {} /media/disk/recovery/img


find recup_dir.* \( -name \*.mp3 -o -name \*.avi -o -name \*.mpg -o -name \*.swf \) | xargs -I '{}' mv {} /media/disk/recovery/multimedia


find recup_dir.* \( -name \*.pdf -o -name \*.xls -o -name \*.doc -o -name \*.txt\) | xargs -I '{}' mv {} /media/disk/recovery/doc


This entry was posted on Sunday, March 2nd, 2008 at 8:41 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.