HomeCalendarCertificationsColumnsFeaturesForumResourcesVitals
 
Image
 
linkedin_logo.png rss_logo.jpg
twitter_logo.png youtube_logo.jpg
Latest Additions
 
EH-Net Login
Welcome Guest.
Lost Password?
No account yet? Register
Who's Online
We have 95 guests and 2 members online
 
Advertisement

You are here: Home arrow Ethical Hacking Discussions and Related Certificationsarrow Forensicsarrow .txt file recovery
EH-Net
May 18, 2013, 01:00:39 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News: Go back to The Ethical Hacker Network Online Magazine Home Page
 
   Home   Help Calendar Login Register  
Pages: [1]   Go Down
« previous next »
  Print  
Author Topic: .txt file recovery  (Read 6361 times)
0 Members and 1 Guest are viewing this topic.
ziggy_567
Sr. Member
****
Offline Offline

Posts: 361


View Profile
« on: May 05, 2010, 05:05:47 PM »
I'm fairly inexperienced in forensics and am trying to learn file carving. I've used scalpel to carve out .doc, .xls, .ppt, etc from an image of a 16G usb drive image. But I'm having issues reliably finding straight ASCII text files.

I'm curious if anyone has an easier way to restore text files from a drive image. I'm looking for straight ASCII text files, so there's no magic number associated with the file. So far, the best I've been able to come up with is to do a 'strings' on the image and grep for what I'm looking for.

While I was playing around, I decided to approach this as though I didn't know what I was looking for, though. The best I could come up with was to filter out some of the garbage in the strings output with a sed statement as such:

strings file1 | sed -n '/^.\{15\}/p' > file2

Of course, you can set the threshold to something larger than 15 to get rid of more garbage, but you'd possibly be ignoring some smaller txt files.

Any thoughts? Thanks!
Logged
--
Ziggy


eCPPT - GSEC - GCIH - GCUX - RHCE - SCSecA - Security+ - Network+
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #1 on: May 05, 2010, 10:08:00 PM »
That's a tough one.  Text file have no header and no footer.   Thus, there is nothing to carve for.  I use either the strings command like you are doing or built-in features in EnCase and FTK to reveal text in unallocated space.   It really helps if you have a few search terms to narrow it down.   Otherwise, the results just aren't pretty. 
Logged
~~~~~~~~~~~~~~
Ketchup
ziggy_567
Sr. Member
****
Offline Offline

Posts: 361


View Profile
« Reply #2 on: May 06, 2010, 09:35:56 AM »
Thanks for the response Ketchup. I'd love to play with enCase, but alas, I don't have the money or really the need...
Logged
--
Ziggy


eCPPT - GSEC - GCIH - GCUX - RHCE - SCSecA - Security+ - Network+
Ketchup
Hero Member
*****
Offline Offline

Posts: 1021



View Profile
« Reply #3 on: May 06, 2010, 01:38:15 PM »
Ziggy, someone had recently mentioned that they were able to get a trial version of EnCase after calling Guidance.   I can't confirm this, and I would doubt it, but it's probably worth a shot.
Logged
~~~~~~~~~~~~~~
Ketchup
Pages: [1]   Go Up
  Print  
« previous next »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com 		Valid XHTML 1.0! Valid CSS!
Page created in 0.065 seconds with 23 queries.
 
Exclusive Deal

sansfire13_245x90_cw90.jpg
SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format!
Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013
Polls
Compared to this year, 2013 will be:
 
Recent Forum Topics
EH-Net News Feeds
Latest Additions
 
         
Free Business and Tech Magazines and eBooks

© 2013 The Ethical Hacker Network
Joomla! is Free Software released under the GNU/GPL License.