Try   HackMD

Data Carving

In this short demo you will:

  • How to recover deleted files with foremost on Linux
  • Requirements: foremost

The foremost utility tries to recover and reconstruct files on the base of their headers, footers and data structures, without relying on filesystem metadata. This forensic technique is known as file carving. The program supports various types of files, such as jpg, gif, pdf, mov, etc.

Foremost usage

~$ sudo foremost -i /dev/sdb1

By default, the program creates a directory called output inside the directory we launched it from and uses it as destination. Inside this directory, a subdirectory for each supported file type we are attempting to retrieve is created.

When foremost completes its job, empty directories are removed. Only the ones containing files are left on the filesystem: this let us immediately know what type of files were successfully retrieved. By default the program tries to retrieve all the supported file types.

To restrict our search, we can, however, use the -t option and provide a list of the file types we want to retrieve, separated by a comma. In the example below, we restrict the search only to gif and pdf files:

~$ sudo foremost -t gif,pdf -i /dev/sdb1

As we already said, if a destination is not explicitly declared, foremost creates an output directory inside our cwd. What if we want to specify an alternative path? All we have to do is to use the -o option and provide said path as argument.

Adding the support for a file type

By reading the examples provided in the configuration file, we can easily add support for a new file type. In this example we will add support for flac audio files. Flac (Free Lossless Audio Coded) is a non-proprietary lossless audio format which is able to provide compressed audio without quality loss. First of all, we know that the header of this file type in hexadecimal form is 66 4C 61 43 00 00 00 22 (fLaC in ASCII), and we can verify it by using a program like hexdump on a flac file:

$ hexdump -C
blind_guardian_war_of_wrath.flac|head
00000000  66 4c 61 43 00 00 00 22  12 00 12 00 00 00 0e 00  |fLaC..."........|
00000010  36 f2 0a c4 42 f0 00 4d  04 60 6d 0b 64 36 d7 bd  |6...B..M.`m.d6..|
00000020  3e 4c 0d 8b c1 46 b6 fe  cd 42 04 00 03 db 20 00  |>L...F...B.... .|
00000030  00 00 72 65 66 65 72 65  6e 63 65 20 6c 69 62 46  |..reference libF|
00000040  4c 41 43 20 31 2e 33 2e  31 20 32 30 31 34 31 31  |LAC 1.3.1 201411|
00000050  32 35 21 00 00 00 12 00  00 00 54 49 54 4c 45 3d  |25!.......TITLE=|
00000060  57 61 72 20 6f 66 20 57  72 61 74 68 11 00 00 00  |War of Wrath....|
00000070  52 45 4c 45 41 53 45 43  4f 55 4e 54 52 59 3d 44  |RELEASECOUNTRY=D|
00000080  45 0c 00 00 00 54 4f 54  41 4c 44 49 53 43 53 3d  |E....TOTALDISCS=|
00000090  32 0c 00 00 00 4c 41 42  45 4c 3d 56 69 72 67 69  |2....LABEL=Virgi|

As you can see the file signature is indeed what we expected. Here we will assume a maximum file size of 30 MB, or 30000000 Bytes. Let's add the entry to the file:

flac    y       30000000    \x66\x4c\x61\x43\x00\x00\x00\x22

The footer signature is optional so here we didn't provide it. The program should now be able to recover deleted flac files. Let's verify it. To test that everything works as expected I previously placed, and then removed, a flac file from the /dev/sdb1 partition, and then proceeded to run the command:

~$ sudo foremost -i /dev/sdb1 -o $HOME/Documents/output

As expected, the program was able to retrieve the deleted flac file (it was the only file on the device, on purpose), although it renamed it with a random string. The original filename cannot be retrieved because, as we know, files metadata is contained in the filesystem, and not in the file itself:

/home/egdoc/Documents
└── output
    ├── audit.txt
    └── flac
        └── 00020482.flac

Source: https://linuxconfig.org/how-to-recover-deleted-files-with-foremost-on-linux

Last changed by 
Ramon Fontes
0
448

Read more

IoT Lab 2: MQTT with Python

This lab aims to offer you an hands-on experience with MQTT. You will perform experiments that will allow you to learn how to “publish” data and “subscribe” to get data. Section 1: Basic MQTT regarding the clients: In this section you will work with MQTT using the MQTT Paho library for Python. The documentation of the MQTT Paho API is here. You have to first install it using: $ sudo python -m pip install paho-mqtt

May 24, 2023
An hands-on introduction to MQTT

This lab aims to offer you an hands-on experience with MQTT. You will perform experiments that will allow you to learn how to "publish" and "subscribe" to data. To this end you will use: your own broker a "sandbox" external broker You will learn how to: install and configure an MQTT broker interchange data using MQTT clients based use MQTT to feed data to your own mobile

May 22, 2023
ARP Spoofing + Downgrade de Protocolo

:::info In this short demo you will: Learn on How to perform ARP Spoofing attack and how to perform protocol downgrade Requirements: Mininet-WiFi - https://github.com/intrig-unicamp/mininet-wifi dsniff arpon

Mar 26, 2021
Act 4 - Internet of Things (IoT)

In this activity we will see some examples of how to simulate a 6loWPAN network for the Internet of Things. 6LoWPAN (IPv6 over Low power Wireless Personal Area Networks) is an IP protocol that creates and maintains the specifications that allow us to use the IPv6 protocol on the IEEE 802.15.4 standard. It has been widely used in the implementation of sensor networks with energy limitations, low signal range, low transmission rates and low cost. The integration of sensor networks with the Internet is seen as essential for the Internet of Things (IoT), allowing the use of distributed sensor applications. First of all, you will need to install mosquitto, mosquitto-clients and paho-mqtt packages as well as Dojot (http://www.dojot.com.br/). :::warning Follow the detailed install instructions available here: https://docs.google.com/document/d/1tbeC0T-zd7yNnSS16IYYdp4UXXk-ePKg1OZm6_XaDAQ/edit?usp=sharing ::: Activity 1 - MQTT basics with Mosquitto :::info

Mar 23, 2021
Read more from Ramon Fontes
Published on HackMD