We finished discussing the Sleuthkit tools in class the other week, and had an exercise to reinforce the concepts. A little while ago, I had a friend ask me if I could recover images from their camera's flash card. After completing the discussion on the Sleuthkit tools, I thought I would give it a whirl.
First, I imaged the card; it was two gigs, and easily fit on on my external evidence drive. (My first imaging attempt didn't go so well, I imaged if=/dev/sdf...I should have imaged if=/dev/sdf1. The file system type was unknown until I re-imaged it. The card is using a fat file system. And by the way, to know that I didn't image properly the first time, I ran an fsstat on the image, and fsstat couldn't determine the fie system type. I knew I was cooking with gas when I re-imaged properly the second time and fsstat showed fat, and the pertinent info on the file system.)
After imaging, I ran: sorter -h -s -m K: -d /images/windowsforensics/sorter /mnt/usb/flashcard.img
Bingo! I had about 185 images returned. My friend was only looking for 25 or so, and was thrilled to gt them all back.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment