[Forensics Tools] extundelete

Forensics Tools

-----------------------

INDEX

extundelete

Foremost

Galleta

Guymager

iPhone Backup Analyzer

p0f

pdf-parser

pdfid

pdgmail

peepdf

RegRipper

Volatility

Xplico

----------------------------

 

삭제한 파일 복구하기(extundelete)

■ Package Description

extundelete는 ext3 또는 ext4 파티션에서 삭제 된 파일을 복구 할 수있는 유틸리티입니다. 

ext3 및 ext4 파일 시스템은 Mint, Mageia 또는 Ubuntu와 같은 Linux 배포판에서 가장 일반적인 기본 파일 시스템입니다. 

extundelete는 파티션의 저널에 저장된 정보를 사용하여 파티션에서 삭제 된 파일을 복구하려고 시도합니다. 

특정 파일을 삭제 취소 할 수 있다는 보장이 없으므로 항상 올바른 백업 시스템을 갖춰야합니다.

또는 파일을 복구 한 후에도 적절한 백업 시스템을 마련해야 합니다.

 

[주의사항]

4GB 이상의 파일은 지원하지 않는다.

ext3 또는 ext4 파티션에서만 복구 할 수있다.

ext2 type에서는 debugfs 명령어를 사용한다.

 

[사용방법]

1) 복구할 데이터의 파티션 찾기

# fdisk -l

2) 읽기 모드로 복구할 파티션을 리마운트

# mount -o remount, ro /dev/sdb1

3) 파티션 복구

# extundelete /dev/sdb1 --restore-all (# extundelete --restore-all <파티션명>) 

5) 복구된 파일 확인

# tree RECOVERED_FILES/

 

참조 사이트

https://www.youtube.com/watch?v=JuauhnugmPo

 

■ OPTIONS

# extundelete --help

# extundelete --help Usage: extundelete [options] [--] device-file Options:   --version, -[vV]       Print version and exit successfully.   --help,                Print this help and exit successfully.   --superblock           Print contents of superblock in addition to the rest.                          If no action is specified then this option is implied.   --journal              Show content of journal.   --after dtime          Only process entries deleted on or after 'dtime'.   --before dtime         Only process entries deleted before 'dtime'. Actions:   --inode ino            Show info on inode 'ino'.   --block blk            Show info on block 'blk'.   --restore-inode ino[,ino,...]                          Restore the file(s) with known inode number 'ino'.                          The restored files are created in ./RESTORED_FILES                          with their inode number as extension (ie, file.12345).   --restore-file 'path'  Will restore file 'path'. 'path' is relative to root                          of the partition and does not start with a '/' (it                          must be one of the paths returned by --dump-names).                          The restored file is created in the current                          directory as 'RECOVERED_FILES/path'.   --restore-files 'path' Will restore files which are listed in the file 'path'.                          Each filename should be in the same format as an option                          to --restore-file, and there should be one per line.   --output-dir 'path'    Restore files in the output dir 'path'.                          By default the restored files are created under current directory 'RECOVERED_FILES'.   --restore-all          Attempts to restore everything.   -j journal             Reads an external journal from the named file.   -b blocknumber         Uses the backup superblock at blocknumber when opening                          the file system.   -B blocksize           Uses blocksize as the block size when opening the file                          system.  The number should be the number of bytes.

 

[EX] extundelete사용 예제

# extundelete /dev/sda1 --restore-file root/importantfile WARNING: Extended attributes are not restored. WARNING: EXT3_FEATURE_INCOMPAT_RECOVER is set. The partition should be unmounted to undelete any files without further data loss. If the partition is not currently mounted, this message indicates it was improperly unmounted, and you should run fsck before continuing. If you decide to continue, extundelete may overwrite some of the deleted files and make recovering those files impossible.  You should unmount the file system and check it with fsck before using extundelete. Would you like to continue? (y/n) Y Loading filesystem metadata ... 192 groups loaded. Loading journal descriptors ... 29495 descriptors loaded. Writing output to directory RECOVERED_FILES/

마운트를 해제해야 데이터의 손실없이 파일을 복구할 수 있다.

[실습] 삭제된 파일 복구하기

@Kali Linux

선수작업

실습을 위해 새로운 디스크를 장착한다.

 

새로운 디스크 장착 후 확인

# fdisk -l

Disk /dev/sdb: 5 GiB, 5368709120 bytes, 10485760 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk /dev/sda: 40 GiB, 42949672960 bytes, 83886080 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0xfdae13d2   Device      Boot     Start         End    Sectors   Size Id Type /dev/sda1  *          2048 79693823 79691776  38G 83 Linux /dev/sda2       79695870 83884031  4188162   2G  5 Extended /dev/sda5       79695872 83884031  4188160   2G 82 Linux swap / Solaris

 

새로운 파티션 생성

# fdisk /dev/sdb

Welcome to fdisk (util-linux 2.28.1). Changes will remain in memory only, until you decide to write them. Be careful before using the write command.   Device does not contain a recognized partition table. Created a new DOS disklabel with disk identifier 0xf3146eb8.   Command (m for help): p Disk /dev/sdb: 5 GiB, 5368709120 bytes, 10485760 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0xf3146eb8   Command (m for help): n Partition type    p   primary (0 primary, 0 extended, 4 free)    e   extended (container for logical partitions) Select (default p): p Partition number (1-4, default 1): 1 First sector (2048-10485759, default 2048):  <Enter> Last sector, +sectors or +size{K,M,G,T,P} (2048-10485759, default 10485759): <Enter>   Created a new partition 1 of type 'Linux' and of size 5 GiB. Command (m for help): Command (m for help): p   Disk /dev/sdb: 5 GiB, 5368709120 bytes, 10485760 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: dos Disk identifier: 0xf3146eb8   Device     Boot Start      End  Sectors Size Id Type /dev/sdb1        2048 10485759 10483712   5G 83 Linux   Command (m for help): w The partition table has been altered. Calling ioctl() to re-read partition table. Syncing disks.

 

 

디스크 ext3 타입 형식 으로 포맷

# mkfs.ext3 /dev/sdb1

mke2fs 1.43.1 (08-Jun-2016) Creating filesystem with 1310464 4k blocks and 327680 inodes Filesystem UUID: 74d4c0e4-e224-4d55-8039-a661204522ba Superblock backups stored on blocks:  32768, 98304, 163840, 229376, 294912, 819200, 884736   Allocating group tables: done                            Writing inode tables: done                            Creating journal (32768 blocks): done Writing superblocks and filesystem accounting information: done

 

마운트 작업

# mkdir -p /extundelete

# mount /dev/sdb1 /extundelete/

# df -Th

Filesystem     Type      Size  Used Avail Use% Mounted on udev           devtmpfs  981M     0  981M   0% /dev tmpfs          tmpfs     199M  7.0M  192M   4% /run /dev/sda1      ext4       38G  8.6G   27G  25% / tmpfs          tmpfs     994M  124K  994M   1% /dev/shm tmpfs          tmpfs     5.0M     0  5.0M   0% /run/lock tmpfs          tmpfs     994M     0  994M   0% /sys/fs/cgroup tmpfs          tmpfs     199M   32K  199M   1% /run/user/132 tmpfs          tmpfs     199M   24K  199M   1% /run/user/0 /dev/sr0       iso9660   2.8G  2.8G     0 100% /media/cdrom0 /dev/sdb1      ext3      4.8G   20M  4.6G   1% /extundelete

 

마운트 된 디스크에 임의 파일 생성

# cd /extundelete/

# cp -a /etc .

# cp -a /lib .

# ls

lost+found     etc    lib

 

cp -a : 원본 파일의 속성, 링크 정보를 유지하면서 복사

 

etc디렉터리 삭제(중요파일 삭제)

# rm -rf etc ; ls

lost+found     lib

 

마운트 해제

# cd

# umount /dev/sdb1

 

extundelete 명령어를 통한 복구 수행

# extundelete /dev/sdb1 --restore-file etc/resolv.conf

NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 40 groups loaded. Loading journal descriptors ... 12084 descriptors loaded. Successfully restored file etc/resolv.conf

RECOVERED_FILS 파일이 생성된 것을 확인

# ls

....   RECOVERED_FILS

 

# cat RECOVERED_FILES/etc/resolv.conf

domain example.com
search example.com
nameserver 168.126.63.1

 

 

 

# cat /etc/resolv.conf

domain example.com
search example.com
nameserver 168.126.63.1

 

파일 체크섬 실시

# md5sum /etc/resolv.conf RECOVERED_FILES/etc/resolv.conf

c720a6cb97f7a884f5e3587759ceb33d  /etc/resolv.conf c720a6cb97f7a884f5e3587759ceb33d  RECOVERED_FILES/etc/resolv.conf

 

원본과 동일한 파일인 것을 알 수 있다.

 

 

/extundelete/etc 디렉터리 복구 실시

# extundelete /dev/sdb1 --restore-directory etc

NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 40 groups loaded. Loading journal descriptors ... 12084 descriptors loaded. Searching for recoverable inodes in directory etc ... 13117 recoverable inodes found. Looking through the directory structure for deleted files ... Block 33619980 is out of range. Block 33619980 is out of range. 10930 recoverable inodes still lost.

 

# du -sh ~/RECOVERED_FILES/etc

13M /root/RECOVERED_FILES/etc

# du -sh /etc

13M /etc

전체 복구 하는 방법

 

 

# extundelete /dev/sdb1 --restore-all

NOTICE: Extended attributes are not restored. Loading filesystem metadata ... 40 groups loaded. Loading journal descriptors ... 12084 descriptors loaded. Searching for recoverable inodes in directory / ... 13117 recoverable inodes found. Looking through the directory structure for deleted files ... Block 33619980 is out of range. Block 33619980 is out of range. Unable to restore inode 294946 (lib/firmware/BCM2033-MD.hex): Space has been reallocated. Unable to restore inode 294947 (lib/firmware/RTL8192E): Space has been reallocated. Unable to restore inode 294951 (lib/firmware/STLC2500_R4_00_03.ptc): Space has been reallocated.  .....(중략)

 

# ls RECOVERED_FILES/