Recover Deleted Data from USB Thumbdrive

Recovering deleted items is a common practice in computer forensics and data recovery services. Whether the data being recovered was accidentally or purposely deleted it still remains on the drive until it is overwritten. This is due to the simple fact that when a file is deleted only the references to the files location on the disk are erased from the Master File Table (MFT) or similar depending on what format you use. What this does is tell the OS that there is now free space that can be used on the hard drive, but the actual data still remains on the disk. The challenging part is acquiring the data on the drive in question before the majority of it is overwritten. Now depending on the sophistication of the software you use you may be able to recover files that are almost completely fragmented. I will consider going further in depth with forensic methods and tools in future tutorials but for now I will use simple open source software included with Backtrack 3 Beta to recover several deleted files from a FAT formatted USB thumbdrive. The program I will be using in this tutorial is called Foremost, a light weight data recovery tool.

Foremost works on many different file system types including, NTFS, FAT, EXT2, and more. Although it is recommended to use its predecessor “scalpel” for proficiency reasons, we will use foremost because it is installed by default. We will be making a RAW image to conserve the integrity of the physical thumbdrive and to ensure nothing is altered during the analysis. Insert the thumb drive into Backtrack, when it asks you what to do click cancel to make sure the disk is NOT mounted. Open up a console and type “fdisk –l” to list the available devices, mine is called /dev/sdb1 which I will refer to from here on. Now that you know what the drive is called type:

md5sum /dev/sdb1 >> original.txt

This will calculate the hash value of the thumbdrive and give us a file for comparison later. Now we want to make an exact image of the thumbdrive, this is why I prefer to have Backtrack 3 installed to the HDD so I can use the local partition space to store these images. You could also use a USB HDD as well, but for simplicity sake I will just store the file on my local disk. Note the full image will be the same size or greater than the drive you are imaging, type:

dd if=/dev/sdb1 of=thumbdrive.image

This will create an exact copy of the drive and store it in your current directory. It is important to make another MD5 hash from the newly created image to ensure the data hasn’t been altered. Type:

md5sum thumbdrive.image >> image.txt

This will generate the hash value of the image to compare to the original value of the thumbdrive. Now to compare the original hash value to the image’s hash value type:

diff original.txt image.txt

This will show you the contents of the 2 files side by side, from which you can see if the MD5 hash value has changed. Foremost is configured by using the file /usr/local /etc/foremost.conf which by default has the file signatures of jpg, exe, zip, rar, and many more common extensions. First we will do a full scan for all known file types. With this method make sure you have plenty of space on your output drive because the files seem to “inflate” when being extracted. Make a directory in the root folder for the recovered output files and have foremost search for all file types and recover them from the image by typing:

mkdir /root/output
foremost thumbdrive.image –o /root/output/

Note that the program makes an audit.txt file in the specified directory that lists all the recovered files. This will take a while depending on the drive size. Once it is complete all of the recoverable files will be sorted into directories in the output folder. Browsing through these files you will see that some of the recovered files will be corrupt because of missing segments that could not be recovered in whole.

To be more efficient you can target only a specific file type by modifying your command. First make a new directory for the specific file types, let’s choose only pdf files. Type “mkdir /root/pdf” then begin the targeted acquisition by typing:

foremost –t pdf –i thumbdrive.image –o /root/pdf/

Notice now we have only a folder full of recovered PDF’s in out output directory. This concludes the foremost tutorial, for more information check out the foremost man page and foremost.conf. Remember foremost can recover data from just about any HDD not just USB Flashdrives, so experiment with it. I will also discuss in the future live Windows NTFS analysis using NTFS Undelete. If you have any question just post them here.

R00tk1ll | BeyondTheBit