HackTricksFile/Data Carving & Recovery Tools
Reading time: 4 minutes
tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Carving & Recovery tools
Zana zaidi zinapatikana katika https://github.com/Claudio-C/awesome-datarecovery
Autopsy
Zana inayotumika sana katika uchunguzi wa forensics kutoa faili kutoka kwa picha ni Autopsy. Pakua, sakinisha na fanya iweze kuchukua faili ili kupata faili "zilizofichwa". Kumbuka kwamba Autopsy imejengwa kusaidia picha za diski na aina nyingine za picha, lakini si faili rahisi.
Binwalk
Binwalk ni zana ya kuchambua faili za binary ili kupata maudhui yaliyojumuishwa. Inaweza kusakinishwa kupitia apt na chanzo chake kiko kwenye GitHub.
Amri muhimu:
sudo apt install binwalk #Insllation
binwalk file #Displays the embedded data in the given file
binwalk -e file #Displays and extracts some files from the given file
binwalk --dd ".*" file #Displays and extracts all files from the given file
Foremost
Chombo kingine cha kawaida cha kutafuta faili zilizofichwa ni foremost. Unaweza kupata faili ya usanidi ya foremost katika /etc/foremost.conf. Ikiwa unataka tu kutafuta faili fulani, ondoa alama ya maoni. Ikiwa huondoi alama ya maoni, foremost itatafuta aina zake za faili zilizowekwa kama chaguo-msingi.
sudo apt-get install foremost
foremost -v -i file.img -o output
#Discovered files will appear inside the folder "output"
Scalpel
Scalpel ni chombo kingine ambacho kinaweza kutumika kupata na kutoa faili zilizojumuishwa katika faili. Katika kesi hii, utahitaji kuondoa maoni kutoka kwa faili ya usanidi (/etc/scalpel/scalpel.conf) aina za faili unazotaka ikatoe.
sudo apt-get install scalpel
scalpel file.img -o output
Bulk Extractor
Chombo hiki kinapatikana ndani ya kali lakini unaweza kukipata hapa: https://github.com/simsong/bulk_extractor
Chombo hiki kinaweza kuskan picha na kutoa pcaps ndani yake, taarifa za mtandao (URLs, domains, IPs, MACs, mails) na zaidi faili. Unachohitaji kufanya ni:
bulk_extractor memory.img -o out_folder
Navigate through habari zote that the tool has gathered (passwords?), chambua the paket (read Pcaps analysis), search for domeni za ajabu (domains related to malware or zisizokuwepo).
PhotoRec
You can find it in https://www.cgsecurity.org/wiki/TestDisk_Download
It comes with GUI and CLI versions. You can select the aina za faili you want PhotoRec to search for.
.png)
binvis
Check the code and the web page tool.
Features of BinVis
- Visual and active muonekano wa muundo
- Multiple plots for different focus points
- Focusing on portions of a sample
- Kuona stings na rasilimali, in PE or ELF executables e. g.
- Getting mifumo for cryptanalysis on files
- Kugundua packer or encoder algorithms
- Tambua Steganography by patterns
- Visual binary-diffing
BinVis is a great nukta ya kuanzia kujifunza kuhusu lengo lisilojulikana in a black-boxing scenario.
Specific Data Carving Tools
FindAES
Searches for AES keys by searching for their key schedules. Able to find 128. 192, and 256 bit keys, such as those used by TrueCrypt and BitLocker.
Download hapa.
Complementary tools
You can use viu to see images from the terminal.
You can use the linux command line tool pdftotext to transform a pdf into text and read it.
tip
Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za udukuzi kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.