Sure, it's not an original idea, but a quick look on one of the local online auction sites says that for a relatively small amount, I can buy someone's memory card and potentially have access to a fair amount of his personal data.
Depending on where the card was used, I'm looking at quite a number of possibilities relating to information that I can dig up. Contact details, people he's called, photos and videos he's taken (could be some raunchy stuff on there as well :D ) and literally anything he's stored on his card. I'm betting on the fact that Mr. Average Joe will not do a DoD wipe on his SD card before deciding to sell it.
But to test this theory, I thought I'd try out one of my own memory cards. If you look at my post for "Installing CarvFS on Ubuntu 7.04", you will get an idea of in-place carving. I will adopt this technique for sniffing through my own (and eventually others) memory cards. So here goes:
I have this USB Disk which is 64Mb in size and I think it will be perfect for this demo. I first mount it and take a look at the contents:
sheran@azazel:~/Personal/research$ sudo mount /dev/sdb1 /media/usbdisk
sheran@azazel:~/Personal/research$ ls -alrt /media/usbdisk
total 17
drwxr-xr-x 8 root root 4096 2007-06-19 12:21 ..
drwx------ 2 root root 12288 2007-06-19 12:24 lost+found
drwxr-xr-x 3 sheran sheran 1024 2007-06-19 12:24 .
sheran@azazel:~/Personal/research$ df -kh /media/usbdisk
Filesystem Size Used Avail Use% Mounted on
/dev/sdb1 61M 1.3M 56M 3% /media/usbdisk
sheran@azazel:~/Personal/research$
That's pretty much the disk. I had run cfdisk and mke2fs previously on the Windows formatted USB Disk. I now image it with 'ewfacquire' which you don't get to see, but I end up with the file usbdisk.E01. I can now mount this file using CarvFS.
sheran@azazel:~/Personal/research$ sudo -s
root@azazel:~/Personal/research# carvfs /mnt/carvfs/ ewf usbdisk.E01
/mnt/carvfs//f183a8e2b50834552f9302b08251d4db
root@azazel:~/Personal/research# cd /mnt/carvfs/f183a8e2b50834552f9302b08251d4db/
root@azazel:/mnt/carvfs/f183a8e2b50834552f9302b08251d4db# ls -alrt
total 63616
-rw-rw-rw- 1 root root 2545 1970-01-01 04:00 README
-rw------- 1 root root 85 1970-01-01 04:00 ocfa.missing
-r--r--r-- 1 root root 65135616 1970-01-01 04:00 CarvFS.crv
d--x--x--x 3 root root 0 1970-01-01 04:00 CarvFS
drwxr-xr-x 3 root root 0 1970-01-01 04:00 .
drwxr-xr-x 3 root root 4096 2007-06-19 13:28 ..
root@azazel:/mnt/carvfs/f183a8e2b50834552f9302b08251d4db#
Now I run 'scalpel' in preview mode with the configuration file set to grab graphic files:
root@azazel:~/Personal/research# scalpel -p -c ./scalpel_gfx.conf /mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS.crv
Scalpel version 1.60
Written by Golden G. Richard III, based on Foremost 0.69.
Opening target "/mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS.crv"
Image file pass 1/2.
/mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS.crv: 16.1% 10.0 MB 00/mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS.crv: 32.2% 20.0 MB 00/mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS.crv: 48.3% 30.0 MB 00/mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS.crv: 64.4% 40.0 MB 00/mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS.crv: 80.5% 50.0 MB 00/mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS.crv: 96.6% 60.0 MB 00/mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS.crv: 100.0% 62.1 MB 00:00 ETAAllocating work queues...
Work queues allocation complete. Building carve lists...
Carve lists built. Workload:
gif with header "\x47\x49\x46\x38\x37\x61" and footer "\x00\x3b" --> 0 files
gif with header "\x47\x49\x46\x38\x39\x61" and footer "\x00\x3b" --> 146 files
jpg with header "\xff\xd8\xff\xe0\x00\x10" and footer "\xff\xd9" --> 22 files
png with header "\x50\x4e\x47\x3f" and footer "\xff\xfc\xfd\xfe" --> 0 files
** PREVIEW MODE: GENERATING AUDIT LOG ONLY **
** NO CARVED FILES WILL BE WRITTEN **
Carving files from image.
Image file pass 2/2.
/mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS.crv: 16.1% 10.0 MB 00/mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS.crv: 48.3% 30.0 MB 00/mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS.crv: 96.6% 60.0 MB 00/mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS.crv: 100.0% 62.1 MB 00:00 ETAProcessing of image file complete. Cleaning up...
Done.
Scalpel is done, files carved = 168, elapsed = 3 seconds.
root@azazel:~/Personal/research#
And I find 146 GIF files and 22 JPGs. Usually, scalpel can be used to extract these files and place them in another directory. The beauty of CarvFS is in the fact that you can add symlinks to the CarvFS image and these symlinks directly refer to offsets within the 'usbdisk.E01' image. CarvFS comes with a tool called 'scalpelcp' which does just this. I had to edit the script so that it works fine, because there was a problem with the "$basepath" variable. But anyway, here goes:
root@azazel:~/Personal/research# scalpelcp
Usage: scalpelcp <outputdir> <basepath>
this tool is meant to be used in conjunction with scalpel (>= 1.6)
run in preview mode (that is using the -p option that scalpel provides)
on carvpath pseudo files.
Scalpelcp will parse the audit.txt file and populate the scalpel output
directory with symlinks to valid sub-carvpaths extracted from the audit file
root@azazel:~/Personal/research# scalpelcp ./scalpel-output/ /mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS/
Target=/mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS
symlinked 168 filenames to zero-storage carvpaths
root@azazel:~/Personal/research# cd scalpel-output/
oot@azazel:~/Personal/research/scalpel-output# ls
00000000.gif 00000034.gif 00000068.gif 00000102.gif 00000136.gif
00000001.gif 00000035.gif 00000069.gif 00000103.gif 00000137.gif
00000002.gif 00000036.gif 00000070.gif 00000104.gif 00000138.gif
00000003.gif 00000037.gif 00000071.gif 00000105.gif 00000139.gif
00000004.gif 00000038.gif 00000072.gif 00000106.gif 00000140.gif
00000005.gif 00000039.gif 00000073.gif 00000107.gif 00000141.gif
00000006.gif 00000040.gif 00000074.gif 00000108.gif 00000142.gif
00000007.gif 00000041.gif 00000075.gif 00000109.gif 00000143.gif
00000008.gif 00000042.gif 00000076.gif 00000110.gif 00000144.gif
00000009.gif 00000043.gif 00000077.gif 00000111.gif 00000145.gif
00000010.gif 00000044.gif 00000078.gif 00000112.gif 00000146.jpg
00000011.gif 00000045.gif 00000079.gif 00000113.gif 00000147.jpg
00000012.gif 00000046.gif 00000080.gif 00000114.gif 00000148.jpg
00000013.gif 00000047.gif 00000081.gif 00000115.gif 00000149.jpg
00000014.gif 00000048.gif 00000082.gif 00000116.gif 00000150.jpg
00000015.gif 00000049.gif 00000083.gif 00000117.gif 00000151.jpg
00000016.gif 00000050.gif 00000084.gif 00000118.gif 00000152.jpg
00000017.gif 00000051.gif 00000085.gif 00000119.gif 00000153.jpg
00000018.gif 00000052.gif 00000086.gif 00000120.gif 00000154.jpg
00000019.gif 00000053.gif 00000087.gif 00000121.gif 00000155.jpg
00000020.gif 00000054.gif 00000088.gif 00000122.gif 00000156.jpg
00000021.gif 00000055.gif 00000089.gif 00000123.gif 00000157.jpg
00000022.gif 00000056.gif 00000090.gif 00000124.gif 00000158.jpg
00000023.gif 00000057.gif 00000091.gif 00000125.gif 00000159.jpg
00000024.gif 00000058.gif 00000092.gif 00000126.gif 00000160.jpg
00000025.gif 00000059.gif 00000093.gif 00000127.gif 00000161.jpg
00000026.gif 00000060.gif 00000094.gif 00000128.gif 00000162.jpg
00000027.gif 00000061.gif 00000095.gif 00000129.gif 00000163.jpg
00000028.gif 00000062.gif 00000096.gif 00000130.gif 00000164.jpg
00000029.gif 00000063.gif 00000097.gif 00000131.gif 00000165.jpg
00000030.gif 00000064.gif 00000098.gif 00000132.gif 00000166.jpg
00000031.gif 00000065.gif 00000099.gif 00000133.gif 00000167.jpg
00000032.gif 00000066.gif 00000100.gif 00000134.gif audit.txt
00000033.gif 00000067.gif 00000101.gif 00000135.gif
root@azazel:~/Personal/research/scalpel-output#
And here are all my symlinked files. If you do a long listing you can see how the files are actually symlinked:
root@azazel:~/Personal/research/scalpel-output# ls -alrt | tail -n 5
lrwxrwxrwx 1 root root 67 2007-06-19 13:44 00000003.gif -> /mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS/1206784:269.crv
lrwxrwxrwx 1 root root 67 2007-06-19 13:44 00000002.gif -> /mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS/1205760:200.crv
lrwxrwxrwx 1 root root 68 2007-06-19 13:44 00000001.gif -> /mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS/1203712:1231.crv
lrwxrwxrwx 1 root root 66 2007-06-19 13:44 00000000.gif -> /mnt/carvfs/f183a8e2b50834552f9302b08251d4db/CarvFS/1203200:50.crv
drwxr-xr-- 2 root root 4096 2007-06-19 13:44 .
root@azazel:~/Personal/research/scalpel-output#
Lastly, all that's left is to start up an image viewer program or plain old nautilus and see what the directory holds:
That's it for now. I'm off to buy some more memory cards. Be very careful if you know me and hear me ask you innocently, "Hey, can I borrow your camera?"
2 comments:
Hi. I'm a 2nd year student in UK working on my data recovery project. Any thoughts on Olympus / Fuji camera xD cards? When "accidentally" formatted they appear to destructively overwrite the contents. I've looked at the Aluada project but have been unable to recover any data. Any insight would be appreciated
Alice
Herro Alice!
I must admit I never did pick up the Olympus/Fuji xD cards mainly because they were proprietary and at that time, I was really only focusing on well supported cards (by card readers anyway)
I must disappoint you in this one and tell you that I have no additional wisdom to impart on this.
Wish you all the best in your endeavors.
Post a Comment