.

.txt file recovery

<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Wed May 05, 2010 5:05 pm

.txt file recovery

I'm fairly inexperienced in forensics and am trying to learn file carving. I've used scalpel to carve out .doc, .xls, .ppt, etc from an image of a 16G usb drive image. But I'm having issues reliably finding straight ASCII text files.

I'm curious if anyone has an easier way to restore text files from a drive image. I'm looking for straight ASCII text files, so there's no magic number associated with the file. So far, the best I've been able to come up with is to do a 'strings' on the image and grep for what I'm looking for.

While I was playing around, I decided to approach this as though I didn't know what I was looking for, though. The best I could come up with was to filter out some of the garbage in the strings output with a sed statement as such:

strings file1 | sed -n '/^.\{15\}/p' > file2

Of course, you can set the threshold to something larger than 15 to get rid of more garbage, but you'd possibly be ignoring some smaller txt files.

Any thoughts? Thanks!
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Wed May 05, 2010 10:08 pm

Re: .txt file recovery

That's a tough one.  Text file have no header and no footer.  Thus, there is nothing to carve for.  I use either the strings command like you are doing or built-in features in EnCase and FTK to reveal text in unallocated space.  It really helps if you have a few search terms to narrow it down.  Otherwise, the results just aren't pretty. 
~~~~~~~~~~~~~~
Ketchup
<<

ziggy_567

User avatar

Sr. Member
Sr. Member

Posts: 378

Joined: Tue Dec 30, 2008 1:53 pm

Post Thu May 06, 2010 9:35 am

Re: .txt file recovery

Thanks for the response Ketchup. I'd love to play with enCase, but alas, I don't have the money or really the need...
--
Ziggy


eCPPT - GSEC - GCIH - GWAPT - GCUX - RHCE - SCSecA - Security+ - Network+
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Thu May 06, 2010 1:38 pm

Re: .txt file recovery

Ziggy, someone had recently mentioned that they were able to get a trial version of EnCase after calling Guidance.  I can't confirm this, and I would doubt it, but it's probably worth a shot.
~~~~~~~~~~~~~~
Ketchup

Return to Forensics

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software