Archive for May 2015
Scalpel : Data Recovery From Byte Strings
In digital forensics, file carving is an essential process. It is a technique in which investigator uses databases of headers as well footers. These headers and footers contain byte strings. So, suppose you have 5 JPEG files. So all those 5 files will have same header & footer byte strings. So this tool carves data by analyzing that byte string. This Is an advance tool as it also carves file even after its metadata is removed.
Design of Scalpel
It’s a high performance file carving utility which is designed based on 2 principles.
1. Economical yet flexible : This tool is designed in such a way that it can run on any machine which is having still those ancient Pentium II processors with 256 or even less MB ram. It can also run on Knoppix, Helix or any other Linux system. Additionally this tool is capable of recovering data of any larger size.
2. Time Complexity : Here I am using this “High Performance” word frequently because when we talk about high performance, we always consider quality along with time. This tool is carving files in no time without compromising the quality of the carving service.
Scalpel in Action (Working Flow)
STARTSTOPCARVE : Actual process of file carving starts here. It opens a file, it writes some portion of the file and it closes it.
CONTINUECARVE : The entire portion of the chunk is taken and written and meanwhile of this operation, file also remains open.
STOPCARVE: After writing few last portion of chunks, it closes the file.
Once you download the scalpel**. RPM file you have to extract it with below
Command. I am using CentOS 6 here.
rpm –Uvh scalpel-2.0-1.el6.i686.rpm
As you can see from the from the pic that we have got an error which tells us about missing libraries. So if you face this problem then do not panic. I have provided a solution over here. All we need to do is to install libraries. So to install these libraries, command is as follows:
yum install libQtGui.so.4
So as you can see in below pics that its continuing the installation. It will check for the dependencies and will install all supported packages along with our library.
Now I will look into the directory that what have we got. We will do this by simple ls command.
Now we will again try to install scalpel with same command which we gave previously.
After successful installation lets run scalpel command and lets check for whether it's running or not.
After installation we need to configure scalpel’s conf file. By default it has scalpel.conf file in which there will be the list of file extensions with their header and footer byte strings. The location of that configuration file will be /etc/scalpel.conf .
First thing we will do is, we will back up this file by giving this command.
cp /etc/scalpel.conf /etc/scalpel_backup.conf
Now we will compare both these files. The left file I personally edited and the right backup file is the default file. As you can clearly see from pic that default configuration file has everything commented within it. So I uncommented some filetypes, which I want to recover from my system. Mostly I have uncommented (selected) graphics files to be recovered.
As you can see that in left side you will see some byte strings mentioning
\xff\xd8\xff\xe0\x00\x10 \xff\xd9 => Byte string header footer pattern for all JPG files.
So the left byte strings are the headers and the right ones are footers.
Before moving forward lets do a small practical comparison of this byte string to any real JPG image file’s byte string.
To do so I have a very good utility called HxD named Hex Editor. I will open one image(JPG) file in that and you will notice that in both file starting and ending header is same and they both are also identical to the config file of the scalpel.
So here is the first file’s Hex information.
As you can see the lower level of byte information (header & footer) is identical the configuration file (scalpel.conf), which we are using for file carving techniques. It means header and footer signature of every JPEG file will be identical so we can say that can be the general syntax of all JPG files.
Now we will move forward and will use the scalpel to carve a graphics file along with JPG. Before that lets suppose a scenario that you inserted pen drive into your Linux system and you don’t know that which drive letter or name is assigned to it. Then you can simply use mount command to list all drives and partition.
Now here I am going to select /dev/sda1 partition to be opened and to be operated file carving process. So the command to run scalpel is pretty simple as follows:
scalpel /dev/sda-1 –o RCVR_DATA2
Here, O specifies the output directory which will be created in /etc/ folder by default. So here is a mount command and scalpel result together.
As you can see that scalpel will first open the target then it will allocate the queue to each task as we discussed in theory part. Then it will start checking for each files header and footer information in order to carve lost files.
Here I am doing this demo on newly installed CentOS so I did not delete JPGs. It’s for you to understand. Once your task is done and if you want to see that which data is recovered you can go to /etc/ folder and you will find your recovered data over there. In my case the folder name is “RCVR_DATA2”.
As you can see that, like a log file it has also generated audit.txt file for the general summarizing whole process. Thus how you can recover lost files from your Linux systems.
Forensics investigators use this to recover data from Linux systems.
Thursday, 7 May 2015
Posted by Christina Evangeline
The fact is true that, besides any other development, the internet development has unbarred next generation’s fast and perfect betterment. The invention of internet contributed many entrepreneurs to the society and these entrepreneurs are contributing incredibly in this field because of the fact that most internet service provider’s (ISP) treated internet traffic equally – The net neutrality. The net neutrality is offering each and every entrepreneur the opportunity of equal success rate. But currently this success rate is vulnerable and we the generation are aware of the core reason for this vulnerability.
Telecom Authority of India (TRAI) in its recent consultation paper has asked the public twenty questions and let’s summarizes this question as “Should the internet be touched?” The questions focus on to the unregulated over-the-top service (OTTS) apps running on telecom network, does it needs regulation? All these OTTs spends dollars in setting up infrastructures and most of them are competing head to head for their existence and some needs to invest in building networks, beyond this what is not to be forgotten is that these telecom companies also benefit from these OTTS who are piggybacking on them. The fact is that more app – more data usage – more money. I doubt, still why these telecoms are disturbed.
Net neutrality violation results in:
- Difference in providing net services, in the sense, some sites will be served fast and some are not.
- Certain applications become costlier.
- Endangering the better future of internet.
- Dispose start-ups and entrepreneurs.
- Wipe out dreams.
- Market harming.
- The absence of net neutrality provides profit to telecom, but the fact is that this act may result in harming the market and at the same time lose internet’s openness.
My generations why mum, remember “Good things happen only when we stand up for that”. Now it’s our turn to fight for net neutrality. Let’s rise up and fight for our rights.
Tags: Net Neutrality, Net Neutrality in India, NextGen India, NextGen India without Net Neutrality, Save Internet
Tuesday, 5 May 2015
Posted by Christina Evangeline