Data Recovery with FreeBSD (part 2)
Tags: freebsd, security
Let’s continue the analysis of the CF card. I installed the Sleuth Kit to gather more information from the image. The first step was to look for things like passwords and/or login data.
dls (an utility from the Sleuth Kit) is just the right tool for this job:
dls -o 32 -f fat CF.img > CF.dls.img strings -t d CF.dls.img > CF.str
Now I could grep the unallocated space of the image. Unfortunately, this did
not yield any interesting results except the things I already knew. Using
sigfind it is possible to manually look for file signatures (as well as file
system signatures), but I recommend a file carver for that job. Of course I
tried it nevertheless and was actually able to recover some .JPEGs, but - alas!
- nothing new was to be discovered.
This is when I decided to use Foremost, another file carving utility:
foremost -t all CF.img -o output/
Using Foremost didn’t provide me with any false positives. It found even more files than Scalpel but this is due to the fact that I did not add anything in Scalpel’s configuration file. The results:
- 13 Excel spreadsheets, including financial data.
- 8 PDFs, including application letters.
- 18 PNGs. Screenshots of their products (apparently for demo purposes).
- 24 Word documents, including letters to customers.
- 9 JPGs. Coporate design stuff.
- 2 PowerPoint slideshows, dealing with internal stuff such as “How can we become better?”
- Some executables for PocketPC devices. Apparently games.
I found some Excel tables in the unallocated disk space. They seem to be PocketExcel files and contain the grades of several persons. Apparently one of the CF card’s users was a school-teacher. However, since I am not able to open these files, I can’t be sure. Actually I wanted to try out Autopsy and Lazarus. But Autopsy is just a front-end for the Sleuth Kit, so I didn’t need it. Lazarus comes with the Coroner’s Toolkit (TCT), but Foremost had the functionality I needed, too. However, they might be worth a look.
To sum it all up: It was very creepy. If you are one of the humans on this planet that doesn’t encrypt sensitive information…well…you should do it from now on.