File/Data Carving & Recovery Tools

Carving & Recovery tools

More tools in https://github.com/Claudio-C/awesome-datarecovery

Autopsy

Chombo kinachotumika sana katika uchunguzi kutoa faili kutoka kwa picha ni Autopsy. Pakua, sakinisha na fanya iweze kuchukua faili ili kupata faili "zilizofichwa". Kumbuka kwamba Autopsy imejengwa kusaidia picha za diski na aina nyingine za picha, lakini si faili rahisi.

Binwalk

Binwalk ni chombo cha kuchambua faili za binary ili kupata maudhui yaliyofichwa. Inaweza kusakinishwa kupitia apt na chanzo chake kiko kwenye GitHub.

Amri muhimu:

sudo apt install binwalk #Insllation
binwalk file #Displays the embedded data in the given file
binwalk -e file #Displays and extracts some files from the given file
binwalk --dd ".*" file #Displays and extracts all files from the given file

Foremost

Chombo kingine cha kawaida cha kutafuta faili zilizofichwa ni foremost. Unaweza kupata faili ya usanidi ya foremost katika /etc/foremost.conf. Ikiwa unataka tu kutafuta faili fulani, ondoa alama ya maoni. Ikiwa huondoi alama ya maoni, foremost itatafuta aina zake za faili zilizowekwa kama chaguo-msingi.

sudo apt-get install foremost
foremost -v -i file.img -o output
#Discovered files will appear inside the folder "output"

Scalpel

Scalpel ni chombo kingine ambacho kinaweza kutumika kutafuta na kutoa faili zilizojumuishwa ndani ya faili. Katika kesi hii, utahitaji kuondoa maoni kutoka kwa faili ya usanidi (/etc/scalpel/scalpel.conf) aina za faili unazotaka ikatoe.

sudo apt-get install scalpel
scalpel file.img -o output

Bulk Extractor

Chombo hiki kinapatikana ndani ya kali lakini unaweza kukipata hapa: https://github.com/simsong/bulk_extractor

Chombo hiki kinaweza kuskan picha na kutoa pcaps ndani yake, taarifa za mtandao (URLs, domains, IPs, MACs, mails) na zaidi faili. Unachohitaji kufanya ni:

bulk_extractor memory.img -o out_folder

Navigate through maelezo yote that the tool has gathered (passwords?), chambua the paket (read Pcaps analysis), search for domeni za ajabu (domains related to malware or zisizokuwepo).

PhotoRec

You can find it in https://www.cgsecurity.org/wiki/TestDisk_Download

It comes with GUI and CLI versions. You can select the aina za faili you want PhotoRec to search for.

binvis

Check the code and the web page tool.

Features of BinVis

• Visual and active muonekano wa muundo

• Multiple plots for different focus points

• Focusing on portions of a sample

• Kuona stings na rasilimali, in PE or ELF executables e. g.

• Getting mifumo for cryptanalysis on files

• Kugundua packer or encoder algorithms

• Tambua Steganography by patterns

• Visual binary-diffing

BinVis is a great nukta ya kuanzia kujifunza kuhusu lengo lisilojulikana in a black-boxing scenario.

Specific Data Carving Tools

FindAES

Searches for AES keys by searching for their key schedules. Able to find 128. 192, and 256 bit keys, such as those used by TrueCrypt and BitLocker.

Download hapa.

Complementary tools

You can use viu to see images from the terminal. You can use the linux command line tool pdftotext to transform a pdf into text and read it.