File/Data Carving & Recovery Tools

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Carving & Recovery tools

More tools in https://github.com/Claudio-C/awesome-datarecovery

Autopsy

Chombo kinachotumika sana katika uchunguzi kutoa faili kutoka kwa picha ni Autopsy. Pakua, sakinisha na fanya iweze kuchukua faili ili kupata faili "zilizofichwa". Kumbuka kwamba Autopsy imejengwa kusaidia picha za diski na aina nyingine za picha, lakini si faili rahisi.

Binwalk

Binwalk ni chombo cha kuchambua faili za binary ili kupata maudhui yaliyojumuishwa. Inaweza kusakinishwa kupitia apt na chanzo chake kiko kwenye GitHub.

Amri muhimu:

sudo apt install binwalk #Insllation
binwalk file #Displays the embedded data in the given file
binwalk -e file #Displays and extracts some files from the given file
binwalk --dd ".*" file #Displays and extracts all files from the given file

Foremost

Zana nyingine ya kawaida ya kutafuta faili zilizofichwa ni foremost. Unaweza kupata faili ya usanidi ya foremost katika /etc/foremost.conf. Ikiwa unataka tu kutafuta faili fulani, ondoa alama ya maoni. Ikiwa huondoi alama ya maoni, foremost itatafuta aina zake za faili zilizowekwa kama chaguo-msingi.

sudo apt-get install foremost
foremost -v -i file.img -o output
#Discovered files will appear inside the folder "output"

Scalpel

Scalpel ni chombo kingine ambacho kinaweza kutumika kupata na kutoa faili zilizojumuishwa katika faili. Katika kesi hii, utahitaji kuondoa maoni kutoka kwa faili la usanidi (/etc/scalpel/scalpel.conf) aina za faili unazotaka ikatoe.

sudo apt-get install scalpel
scalpel file.img -o output

Bulk Extractor

Chombo hiki kinapatikana ndani ya kali lakini unaweza kukipata hapa: https://github.com/simsong/bulk_extractor

Chombo hiki kinaweza kuskan picha na kutoa pcaps ndani yake, taarifa za mtandao (URLs, domains, IPs, MACs, mails) na zaidi faili. Unahitaji tu kufanya:

bulk_extractor memory.img -o out_folder

Navigate through maelezo yote ambayo chombo kimekusanya (nywila?), chambua paket (soma Pcaps analysis), tafuta domeni za ajabu (domeni zinazohusiana na malware au zisizokuwepo).

PhotoRec

Unaweza kuipata katika https://www.cgsecurity.org/wiki/TestDisk_Download

Inakuja na toleo la GUI na CLI. Unaweza kuchagua aina za faili unazotaka PhotoRec itafute.

binvis

Angalia msimbo na ukurasa wa chombo.

Vipengele vya BinVis

Mtazamaji wa muundo wa kuona na wa kazi
Mchoro mwingi kwa maeneo tofauti ya kuzingatia
Kuangazia sehemu za sampuli
Kuona stings na rasilimali, katika PE au ELF executable mfano
Kupata mifumo ya uchambuzi wa kificho kwenye faili
Kugundua algorithimu za pakker au encoder
Tambua Steganography kwa mifumo
Kuona tofauti za binary

BinVis ni nukta ya kuanzia nzuri ili kufahamiana na lengo lisilojulikana katika hali ya black-boxing.

Zana Maalum za Data Carving

FindAES

Inatafuta funguo za AES kwa kutafuta ratiba zao za funguo. Inaweza kupata funguo za 128, 192, na 256 bit, kama zile zinazotumiwa na TrueCrypt na BitLocker.

Pakua hapa.

Zana za Kusaidia

Unaweza kutumia viu kuona picha kutoka kwenye terminal. Unaweza kutumia chombo cha mistari ya amri za linux pdftotext kubadilisha pdf kuwa maandiko na kuisoma.

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

PreviousPartitions/File Systems/Carving NextPcap Inspection

Last updated 2 months ago