User:Laurier Rochon/bbb/hhd forensics: Difference between revisions
No edit summary |
No edit summary |
||
| Line 6: | Line 6: | ||
http://moddr.net/wiki/doku.php?id=data_carving_workshop (infos) | http://moddr.net/wiki/doku.php?id=data_carving_workshop (infos) | ||
http://www.moddr.net/wp-content/datacarving_cheatsheet.png (cheat sheet) | |||
- Install foremost | - Install foremost | ||
| Line 13: | Line 14: | ||
- install gqview to view broken files | - install gqview to view broken files | ||
Pipe the contents of HD to mplayer | Pipe the contents of HD to mplayer | ||
cat /proc/partitions (see all your HD partitions) | cat /proc/partitions (see all your HD partitions) | ||
HDD to audio : sudo dd if=/dev/sd3 skip=50000 | aplay - | |||
HDD to video : sudo gst-launch-0.10 filesrc location=/dev/sda3 ! videoparse ! xvimagesink | |||
Revision as of 21:11, 11 November 2010
Tools to do data carving (open-source)
- foremost - scalpel
http://moddr.net/wiki/doku.php?id=data_carving_workshop (infos)
(cheat sheet)
- Install foremost - Check dmesg for info on the newly connected drive (dmesg | tail to get only recent logs) - Cat /proc/partitions (sdbs' is the one we want - not 'sda', that's our own drive) - sudo foremost -v -T -o /tmp/report -i /dev/sdb5 (replace sdb5 with drive...) - install gqview to view broken files
Pipe the contents of HD to mplayer
cat /proc/partitions (see all your HD partitions)
HDD to audio : sudo dd if=/dev/sd3 skip=50000 | aplay - HDD to video : sudo gst-launch-0.10 filesrc location=/dev/sda3 ! videoparse ! xvimagesink