User:Laurier Rochon/bbb/hhd forensics: Difference between revisions
No edit summary |
|||
Line 19: | Line 19: | ||
*HDD to audio : sudo dd if=/dev/sd3 skip=50000 | aplay - | *HDD to audio : sudo dd if=/dev/sd3 skip=50000 | aplay - | ||
*HDD to video : sudo gst-launch-0.10 filesrc location=/dev/sda3 ! videoparse ! xvimagesink | *HDD to video : sudo gst-launch-0.10 filesrc location=/dev/sda3 ! videoparse ! xvimagesink | ||
or in mplayer | |||
mplayer -rawvideo w=720:h=576 -demuxer rawvideo /dev/sda | |||
Lots of good command-line tricks on http://1010.co.uk/org/HOWTO.html |
Revision as of 17:33, 12 November 2010
Data carving tools (open-source)
- foremost
- scalpel
http://moddr.net/wiki/doku.php?id=data_carving_workshop (infos) (cheat sheet on there)
- Install foremost
- Check dmesg for info on the newly connected drive (dmesg | tail to get only recent logs)
- Cat /proc/partitions (sdbs' is the one we want - not 'sda', that's our own drive)
- sudo foremost -v -T -o /tmp/report -i /dev/sdb5 (replace sdb5 with drive...)
- install gqview to view broken files
Pipe the contents of HD to mplayer
- cat /proc/partitions (see all your HD partitions)
- HDD to audio : sudo dd if=/dev/sd3 skip=50000 | aplay -
- HDD to video : sudo gst-launch-0.10 filesrc location=/dev/sda3 ! videoparse ! xvimagesink
or in mplayer
mplayer -rawvideo w=720:h=576 -demuxer rawvideo /dev/sda
Lots of good command-line tricks on http://1010.co.uk/org/HOWTO.html