Data Recovery with FreeBSD (part 1)
Tags: freebsd, security
Recently, I felt the urge to try out some data recovery tools I might need in the future. Fortunately, there was a CompactFlash card shipped with something I bought on eBay. This would be a safe starting point. I took an image of the card:
dd if=/dev/da0 of=~/tmp/card.img bs=8k
As a first test I decided to let Scalpel take a look at the image. The only configuration one needs is found in scalpel.conf. Here you may enter the file types / data types you are looking for. I was looking for common file types such as .DOC, .PDF etc.
Since the card image was only about 32MB, Scalpel finished quite quickly and I could take a look at the booty. It was quite startling: Without any sophisticated tools I was able to recover Microsoft Word documents containing job applications, Microsoft Excel spreadsheets (Scalpel detected them as Word documents, though) containing working hours and payrollls and some internal memos. Apparently, the card had once belonged to a boss of a German enterprise. These guys are doing database applications and (quote) “complex, highly dynamical applications” - without getting into more detail.
Well, let’s say that security is not what they are very strong at. Just one side note: I won’t write the enterprise’s name down on this blog. If anyone feels compelled to know it, just contact me. I know that my discovery is not that exciting, but it frightens me when I think about companies “releasing” private information like this through obvious security leaks…
To compare my results, I ran “GetDataBack for FAT” (a program Sven recommended), which was able to recover the same data. Since this software is very easy to use, every Windows-using newbie might recover sensitive data from media such as CF cards, hard disks etc.
This is part one of my data recovery adventures. As soon as I have got time, I am going to try out the Sleuth Kit along with Lazarus or Autopsy.