Image Source : Pixabay.com
Data Recovery is an essential part of Digital Forensics. Its not only essential for Ethical hackers and penetration testers, but also for normal people in our day-to-day life. You may think how? Most of you may even think that once you have formatted your hard drive or your cell phone, all of your data is gone. But thats not the true fact. Data can be recovered in any manner. Besides, if its just formatting, data recovery is an easy task and can be done with simple and free tools available online. But to novice people out there, who don’t have any idea about this, data recovery can be a deal breaking situation. Some of you may not even what is Data Recovery and what are the aspects of Digital Forensics. So, Lets take a deeper look into that.
Digital Forensics
So most of you may think that once you have a password protected hard disk drive, then your data is secured. And if you delete everything and then format it again, you would think its gone, eh? But thats not the case. And this is where Digital Forensics come into play.
Digital forensics is a part of Ethical hacking. It not only deals into Data Recovery, but also in data manipulation, tracking down source of images, videos and mp3s uploaded on the web. Digital Forensics is a diverse category to deal with. It also comprises of scanning, repairing and gathering intel out of the most corrupted hard disk drives and other devices like Cell phones, PDAs, portable computers, biometrics and many more. Thus Data Recovery is one of the most essential part of Cyber crime since enough data about a specific hacker/party would help in solving the crime easily. If not that, then atleast the recovered data could help to identify the working method of the hacker.
Daily Life Scenario
Now you think: Ok, that’s fine for a White Hat and a Penetration tester, but how is that useful in our daily life? Let me give you a real life scenario.
Scenario I: Nexus 5 Revelation
During my days when I started learning about hacking and stuff, I was a gadget freak. I always had the habit of purchasing a lot of devices and experiment with it. But since, money is an issue, I used to purchase second hand cell phones sold on eBay, olx or from roadside sellers for quarter of the original price. Not so long back when I was experimenting with a Nexus 5 I purchase of from eBay for 8K, I lost a lot of data I had inside it. The stuff happened something like this:
Nexus 5 Bootloader
After I purchased the Nexus 5, it was fully formatted by the previous owner. I rooted it and installed Cyanogen Mod 11.00 (CM11-kitkat) and installed a totally AK kernel. It was actually working so fine, that I started using it as my daily driver. But when I tried to overclock it, the phone actually went dead. The battery was burnt due to overload. I purchased another battery and soldered it. But when I started the Cell, it was stuck on bootloop (Bootloop meaning never ending loading at loading screen on start-up). So, I had to re-install the whole OS. But since I wanted to recover all my data I had inside it, I had to do some monkey gimmicks to recover all the data. It was not a straight forward situation. And when I say data recovery, I don’t mean internal data. I mean the actual phone data where settings and other stuff are stored. So, I started looking online for data recovery tools, and found Safecopy tool for Linux. I had an upper hand in Linux, but never knew anything about it. I installed it by typing:
$apt-get install safecopy
Once installed, I tried to make a whole disk image of the data and cache partition using Safecopy using the below command:
$safecopy /dev/Nexus5 nexus5.iso
. My whole data was of something 5-6 gigs, but the recovered data seemed to be of around 14 gigs. I was shocked to see that. Now since, I was desperate and curious to get my data back without corruption; I also used adb tools (Android Debug Bridge) to take the backup.
I installed adb tools in Linux by typing:
$apt-get install android-tools-adb
I used the following command to take full backup of my cell phone:
$adb backup -apk -shared -all -f /root/temp.ab
If you just want to backup without the apk, you can use either of the following:
$adb backup -all -f /root/temp.ab
You can however check the help command to check for more flags and options.
Now, comes the most shocking part. It took approximately 3-4 hours to get the full backup of the cell phone. Once done, the total file I received was of 33 gigs. I was shell shocked when I saw this. My whole Nexus 5 was of 16 gigs out of which I had only 12 gigs available to store stuff, and again I only used upto 5-6 gigs from that. Then, from where the heck did the remaining 26 gigs come from? The worst question was where was it all stored? Confused with this, I used SQLite Viewer to view the backup file before I could restore it back again, and what I saw was unbelievable. It not only did take a backup of mine, but when I tried to recover the data, all the data the previous owner stored was restored as well. I could view the facebook chats, and We-chat data as well using the SQLite browser and the SQLite Viewer. It was just a matter of time before I could separate the old recovery data from my own data. I could have also recovered the sms and the contacts info using the infamous Sleuth Kit, but I thought to give it a bit time before I could master the basic Database Recovery. I also recovered the Whatsapp database, and with a little bit of social engineering, I also hacked the encrypted key of the person from whom I had purchased the Cell Phone. But however I later on called the specific person since he was a humble man and informed him about the issues that could have happened if this was to fall in wrong hands.
Scenario II: The Kevin Mitnick Method
I doubt whether most of you may have heard of the infamous hacker Kevin Mitnick. He has written loads of books related to Social Engineering and Hacking. He was on the FBIs most wanted list and also served 5 years in prison for the same, but was later released since much evidence was not found against him. You may be wondering why I am saying this. The reason for that is because; Kevin was an excellent Social Engineer. And I have used several of his tricks to penetrate into websites and organizations (legally obviously). What he used to do was very impressive since he used to impersonate someone as himself and gain physical access to an organization and then hack it. He also used to do dumpster driving through which he could gain access to sensitive files thrown away as rubbish in the garbage.
Image Source : Pixabay.com
Now when I read his book “Art of Deception”, I thought let’s give it a try. And this was two years back when I was working in a different IT organization. I knew that every 3 years the company kept itself up-to-date by changing few hardwares, and used to sell these components to the highest bidder on eBay in lots. Seemingly I purchased a few hard drives from over there. It was all clean and formatted and slow. So, I used this tool known as EASEUS Data Recovery to recover deleted data. At that point of time, I didn’t knew about safecopy. So, I used this software. I used the trial version first, and found lots of files, but was severely damaged and I couldn’t recover them. Besides, the files which were shown as ‘can be recovered files’ were more than 2-3 years old. So, I had a live disk then which was Knoppix, the famous live disk to troubleshoot anything. But what I did and I later realised was that, it could be done through any Linux distribution and not just Knoppix. I used the dd command to clone the whole hard disk and scan it sector by sector. dd is a disk utility copying tool for Linux. Here you can even specify almost everything from the block size to cloning a whole drive.
I used the following command to clone the hard disk:
$dd if=/dev/sdb1 of=/root/tempclone.iso bs=2048
Here, you can specify any block size as per your wish ranging from 512k to 4096 until unless you know what you are doing. Here dd is asking the computer to check for a drive with label sdb1, and if it is there make a copy of the whole disk into an iso or an img file depending upon your usage with the block size to be of 2048k and then save it to root directory with the name of tempclone.iso. You can also reverse the process of converting an iso clone into a physical HDD by typing the following:
$dd if=/root/tempclone.iso of=/dev/sdb1 bs=1024
Here, I always prefer o use the low side block size due to personal preference. You can increase it if you want, but I had bad experiences with it in the past. Thus the low block size.
So, by cloning the HDD, you now have a full clone of the whole HDD on your computer. But note that this won’t work on a plain formatted HDD since there is nothing to clone. You would first have to recover the corrupted data, by using some good disk recovery software like EASEUS, even if its unreadable it’s not an issue. Once recovered, you can clone it using the dd command. The reason for this is because, if your hard disk has irrecoverable bad sectors, the hard disk won’t even allow you to read the remaining chuck of data near to that sector. But we can do that, by cloning the drive. Once cloned, you can use the following tools to identify and remove the bad sectors and save only the good and recoverable sectors and then read it.:
HDDscan
(http://hddscan.com/)
HDDLLF
(http://hddguru.com/)
Check Flash
(http://mikelab.kiev.ua/index_en.php?page=PROGRAMS/chkflsh_en)
Chip Genius
(www.usbdev.ru/files/chipgenius/)
So, by doing this, I extracted approximately 390 gigs of data out of the 500 gigs hard drive, and out of which I could recover uncorrupted data of about 236 gigabyte. Now this was a serious issue, since the information I received was extremely confidential. By looking into the data, I saw that this was the hard drive used by the Human Resource team to save Salary, provident fund and other accounting information. I quickly took back this information to the IT departmental head and informed him about this, but since this is India, no proper actions were taken. I recommended the company to destroy the hard disks rather than selling it, because this could actually be a nightmare if the details of the bank account information gets into the wrong hands. Nevertheless, I was asked to stand down, but however I got a promotion due to this which is altogether a different story.
Digital forensics and Data Recovery: Aftermath
But the point here is that data recovery is not only applicable to every other organisation, but also to normal people using electronic devices to store confidential data. I could go on and on about this, but that doesn’t matter. The important thing to know is how to destroy the evidence. Hackers nowadays use LUKS encryption to destroy data if someone tampers with it, which overwrites each and every bytes with zeros rather than any other hexadecimal number. This however makes the data recovery useless. But again, it’s not a child’s play for everyone to use LUKS encryption. Besides, using LUKS encryption has a big disadvantage that if you yourself forget the password to the stored data, it cannot be recovered no matter what. You will be stuck forever. But obviously it’s better that no one has access to the data, rather than some thief using it for malicious purpose.
Data Recovery and Digital Forensics is another important reason why hackers normally destroy all the data with secure deletion from the victim or slave computer once their work is done, so that nothing can be traced back to them. There is always more to it than it seems. Data Recovery, like any other thing on the planet is a boon as well as a curse. They are two sides of the same coin. You cannot save one while destroying the other.
The post What is Digital forensics and Data Recovery? appeared first on eduCBA.