Tuesday, September 22, 2009

Crawling out from the paperwork to check the air

It's been a busy couple of weeks. I went on a testing trip that I truly consider a boondoggle. I think the company sent us on the trip just to maximize revenue for the overall project. The problem is, I think the client called the company's bluff. As such, they've demanded a ton of documentation; not that we don't have the data, but the client isn't the most helpful. That, and I'm finishing up documentation for a system we tested almost three months ago. But, there's light at the end of the tunnel, I've already got my next project; a nice big, fat juicy LAN to test.

On the forensics front, I'm in the middle of recovering mp3s from a friend's external usb drive that had crashed. I'm using foremost, and getting great results. I'll write that up when I'm finished.

Wednesday, September 9, 2009

Using Sleuthkit tools to recover pictures from a camera's flash card

We finished discussing the Sleuthkit tools in class the other week, and had an exercise to reinforce the concepts. A little while ago, I had a friend ask me if I could recover images from their camera's flash card. After completing the discussion on the Sleuthkit tools, I thought I would give it a whirl.

First, I imaged the card; it was two gigs, and easily fit on on my external evidence drive. (My first imaging attempt didn't go so well, I imaged if=/dev/sdf...I should have imaged if=/dev/sdf1. The file system type was unknown until I re-imaged it. The card is using a fat file system. And by the way, to know that I didn't image properly the first time, I ran an fsstat on the image, and fsstat couldn't determine the fie system type. I knew I was cooking with gas when I re-imaged properly the second time and fsstat showed fat, and the pertinent info on the file system.)

After imaging, I ran: sorter -h -s -m K: -d /images/windowsforensics/sorter /mnt/usb/flashcard.img

Bingo! I had about 185 images returned. My friend was only looking for 25 or so, and was thrilled to gt them all back.