Data Recovery with FreeBSD (part 2)

Tags: freebsd, security

Published on
« Previous post: Data Recovery with FreeBSD (part 1) — Next post: A done deal. »

Let’s continue the analysis of the CF card. I installed the Sleuth Kit to gather more information from the image. The first step was to look for things like passwords and/or login data. dls (an utility from the Sleuth Kit) is just the right tool for this job:

dls -o 32 -f fat CF.img > CF.dls.img
strings -t d CF.dls.img > CF.str

Now I could grep the unallocated space of the image. Unfortunately, this did not yield any interesting results except the things I already knew. Using sigfind it is possible to manually look for file signatures (as well as file system signatures), but I recommend a file carver for that job. Of course I tried it nevertheless and was actually able to recover some .JPEGs, but - alas!

  • nothing new was to be discovered.

This is when I decided to use Foremost, another file carving utility:

foremost -t all CF.img -o output/

Using Foremost didn’t provide me with any false positives. It found even more files than Scalpel but this is due to the fact that I did not add anything in Scalpel’s configuration file. The results:

  • 13 Excel spreadsheets, including financial data.
  • 8 PDFs, including application letters.
  • 18 PNGs. Screenshots of their products (apparently for demo purposes).
  • 24 Word documents, including letters to customers.
  • 9 JPGs. Coporate design stuff.
  • 2 PowerPoint slideshows, dealing with internal stuff such as “How can we become better?”
  • Some executables for PocketPC devices. Apparently games.

I found some Excel tables in the unallocated disk space. They seem to be PocketExcel files and contain the grades of several persons. Apparently one of the CF card’s users was a school-teacher. However, since I am not able to open these files, I can’t be sure. Actually I wanted to try out Autopsy and Lazarus. But Autopsy is just a front-end for the Sleuth Kit, so I didn’t need it. Lazarus comes with the Coroner’s Toolkit (TCT), but Foremost had the functionality I needed, too. However, they might be worth a look.

To sum it all up: It was very creepy. If you are one of the humans on this planet that doesn’t encrypt sensitive information…well…you should do it from now on.