User:Laurier Rochon/bbb/hhd forensics: Difference between revisions

From XPUB & Lens-Based wiki
No edit summary
 
(7 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Tools to do data carving (open-source) ==
== Data carving tools (open-source) ==




- foremost
*foremost
- scalpel
*scalpel


http://moddr.net/wiki/doku.php?id=data_carving_workshop (infos)
http://moddr.net/wiki/doku.php?id=data_carving_workshop (infos)
http://www.moddr.net/wp-content/datacarving_cheatsheet.png (cheat sheet)
(cheat sheet on there)


- Install foremost
*Install foremost
- Check dmesg for info on the newly connected drive (dmesg | tail to get only recent logs)
*Check dmesg for info on the newly connected drive (dmesg | tail to get only recent logs)
- Cat /proc/partitions (sdbs' is the one we want - not 'sda', that's our own drive)
*Cat /proc/partitions (sdbs' is the one we want - not 'sda', that's our own drive)
- sudo foremost -v -T -o /tmp/report -i /dev/sdb5 (replace sdb5 with drive...)
*sudo foremost -v -T -o /tmp/report -i /dev/sdb5 (replace sdb5 with drive...)
- install gqview to view broken files
*install gqview to view broken files




Pipe the contents of HD to mplayer
'''Pipe the contents of HD to mplayer'''
cat /proc/partitions (see all your HD partitions)
*cat /proc/partitions (see all your HD partitions)
*HDD to audio : sudo dd if=/dev/sd3 skip=50000 | aplay -
*HDD to video : sudo gst-launch-0.10 filesrc location=/dev/sda3 ! videoparse ! xvimagesink


HDD to audio : sudo dd if=/dev/sd3 skip=50000 | aplay -
or in mplayer
HDD to video : sudo gst-launch-0.10 filesrc location=/dev/sda3 ! videoparse ! xvimagesink
 
*mplayer -rawvideo w=720:h=576 -demuxer rawvideo /dev/sda
 
Lots of good command-line tricks on http://1010.co.uk/org/HOWTO.html
 
'''Render your webcam as ASCII art'''
 
*mplayer tv:// -vo aa -monitorpixelaspect 0.5 (use 1-9 for controls)

Latest revision as of 18:09, 12 November 2010

Data carving tools (open-source)

  • foremost
  • scalpel

http://moddr.net/wiki/doku.php?id=data_carving_workshop (infos) (cheat sheet on there)

  • Install foremost
  • Check dmesg for info on the newly connected drive (dmesg | tail to get only recent logs)
  • Cat /proc/partitions (sdbs' is the one we want - not 'sda', that's our own drive)
  • sudo foremost -v -T -o /tmp/report -i /dev/sdb5 (replace sdb5 with drive...)
  • install gqview to view broken files


Pipe the contents of HD to mplayer

  • cat /proc/partitions (see all your HD partitions)
  • HDD to audio : sudo dd if=/dev/sd3 skip=50000 | aplay -
  • HDD to video : sudo gst-launch-0.10 filesrc location=/dev/sda3 ! videoparse ! xvimagesink

or in mplayer

  • mplayer -rawvideo w=720:h=576 -demuxer rawvideo /dev/sda

Lots of good command-line tricks on http://1010.co.uk/org/HOWTO.html

Render your webcam as ASCII art

  • mplayer tv:// -vo aa -monitorpixelaspect 0.5 (use 1-9 for controls)