EC2 DFIR Workshop
Lab 9: Recover the Unallocated Space
GOAL:
Use two different techniques to recover files from the unallocated space on the volume
SUMMARY OF STEPS:
- Run the tsk_recover command
- Use foremost to carve files
Step 1: Run the tsk_recover command
The tsk_recover utility can be used to recover files from unallocated space by passing in the device of the attached volume and the location to store the recovered files as parameters to the command.
The syntax for this is simply:
mkdir /cases/recovered
tsk_recover /dev/xvdf1 /cases/recovered
Visually scanning through the directory listing may identify files that deserve additional investigation.
Use this command:
ls -lR /cases/recovered/ --color=always | less -R
The tsk_recover tool adds the sector where the file was located to the end of the file name and uses a semicolon as a delimiter.
VIDEO: Lab 9 Step 1 - Run the tsk_recover command
Step 2: Use foremost to carve files
Foremost uses a configuration file to define how to carve the files. For this
exercise, lets modify the /etc/foremost.conf file to include graphics files by
removing the octothorp (“#”) from the beginning of the lines in the GRAPHICS FILES
section (gif, jpg, png, bmp, and tif), as shown below:
IMAGE 17: Uncomment the Graphics Files in foremost.conf
The command to run foremost on the evidence prepared is:
mkdir /mnt/data/foremost
nohup foremost -dv -o /mnt/data/foremost -c /etc/foremost.conf /dev/xvdf1 &
Visually scanning through the directory listing may identify files that deserve additional investigation. Use this command:
ls -als /cases/foremost/ --color=always | less -R