I chose to put this in BT becouse it is set up for Forensics & comes with Multiple Tools for the job.. this was jut
Today we will be doing a quick Forensics Analysis on a Blank Flash Drive with a bunch of erased Data
so we will start out using testdisk =>
TestDisk 6.13, Data Recovery Utility, November 2011
Christophe GRENIER
http://www.cgsecurity.org
TestDisk is free data recovery software designed to help recover lost
partitions and/or make non-booting disks bootable again when these symptoms
are caused by faulty software, certain types of viruses or human error.
It can also be used to repair some filesystem errors.
Information gathered during TestDisk use can be recorded for later
review. If you choose to create the text file, testdisk.log , it
will contain TestDisk options, technical information and various
outputs; including any folder/file names TestDisk was used to find and
list onscreen.
Use arrow keys to select, then press Enter key:
>[ Create ] Create a new log file
[ Append ] Append information to log file
[ No Log ] Don't record anything
so Create the new Log File & lets start recovering Data!
TestDisk 6.13, Data Recovery Utility, November 2011
Christophe GRENIER
http://www.cgsecurity.org
TestDisk is free software, and
comes with ABSOLUTELY NO WARRANTY.
Select a media (use Arrow keys, then press Enter):
Disk /dev/sda - 320 GB / 298 GiB - TOSHIBA MK3275GSX
>Disk /dev/sdc - 8036 MB / 7663 MiB - Best Buy Geek Squad
Disk /dev/mapper/cryptswap1 - 10305 MB / 9828 MiB
Disk /dev/mapper/lubuntu-root - 309 GB / 288 GiB
Disk /dev/mapper/lubuntu-swap_1 - 10305 MB / 9828 MiB
Disk /dev/mapper/sda5_crypt - 319 GB / 297 GiB
Disk /dev/dm-0 - 319 GB / 297 GiB
Disk /dev/dm-1 - 309 GB / 288 GiB
Disk /dev/dm-2 - 10305 MB / 9828 MiB
Disk /dev/dm-3 - 10305 MB / 9828 MiB
>[Proceed ] [ Quit ]
Note: Disk capacity must be correctly detected for a successful recovery.
If a disk listed above has incorrect size, check HD jumper settings, BIOS
detection, and install the latest OS patches and disk drivers.
we will select the Flash Drive & Proceed
Disk /dev/sdc - 8036 MB / 7663 MiB - Best Buy Geek Squad
Please select the partition table type, press Enter when done.
[Intel ] Intel/PC partition
[EFI GPT] EFI GPT partition map (Mac i386, some x86_64...)
[Humax ] Humax partition table
[Mac ] Apple partition map
>[None ] Non partitioned media
[Sun ] Sun Solaris partition
[XBox ] XBox partition
[Return ] Return to disk selection
select Non Partitioned Media
Disk /dev/sdc - 8036 MB / 7663 MiB - CHS 977 255 63
>[ Analyse ] Analyse current partition structure and search for lost partitions
[ Advanced ] Filesystem Utils
[ Geometry ] Change disk geometry
[ Options ] Modify options
[ Quit ] Return to disk selection
and we analyse
Disk /dev/sdc - 8036 MB / 7663 MiB - CHS 977 255 63
Current partition structure:
Partition Start End Size in sectors
P Unknown 0 0 1 977 5 51 15695871
>[Quick Search]
Try to locate partition
do a quick search
Disk /dev/sdc - 8036 MB / 7663 MiB - CHS 977 255 63
Partition Start End Size in sectors
>P FAT32 0 1 1 976 254 63 15695442
Structure: Ok.
Keys T: change type, P: list files,
Enter: to continue
FAT32, 8036 MB / 7663 MiB
even though we were not looking for a Partition we found one ! See the >P FAT32 ???
now type p to list the files we found that were not evident when we opened the Drive !!
P FAT32 0 1 1 976 254 63 15695442
Directory /
>-rwxr-xr-x 0 0 0 22-Jan-2013 03:08 test
drwxr-xr-x 0 0 0 31-May-2012 00:28 _ISK~1
-rwxr-xr-x 0 0 11227 26-Oct-2012 13:23 559515_214408882024167_1492052605_n.jpg
drwxr-xr-x 0 0 0 2-Oct-2012 21:20 _ODC
-rwxr-xr-x 0 0 24374 12-Oct-2012 18:18 20530.jpg
-rwxr-xr-x 0 0 92508 12-Oct-2012 18:14 Cool_guy_antiACTA.jpeg
-rwxr-xr-x 0 0 26852 11-Oct-2012 15:50 Icon-FistNEHouse.png
-rwxr-xr-x 0 0 33717 12-Oct-2012 18:23 masks_guy_fawkes_anonymous_V_for_vendetta_black_and_white_logo_poster_www.Vvallpaper.net2.jpg
-rwxr-xr-x 0 0 100956 11-Oct-2012 15:48 Portland-FistRose-New.png
-rwxr-xr-x 0 0 4456 12-Oct-2012 18:25 th.jpeg
drwxr-xr-x 0 0 0 27-Oct-2012 04:24 _S17
drwxr-xr-x 0 0 0 31-May-2012 00:41 vistatables
drwxr-xr-x 0 0 0 12-Jun-2012 12:54 _USICAS
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 .Trash-1000
drwxr-xr-x 0 0 0 13-Jun-2012 15:56 _DWRT
drwxr-xr-x 0 0 4096 26-Jun-2012 19:24 _848169_
drwxr-xr-x 0 0 4096 23-Aug-2012 14:09 _451196_
except for .Trash all of these are RED meaning they were deleted plus they all have Linux File & Directory Permissions by them !?!?
So lets move our Arrow to the .Trash-1000 =>
P FAT32 0 1 1 976 254 63 15695442
Directory /.Trash-1000
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 .
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 ..
>drwxr-xr-x 0 0 0 11-Nov-2012 23:32 info
drwxr-xr-x 0 0 0 11-Nov-2012 23:32 files
We find more Files =>
As shown above move down to the info 3rd line and press your Right Arrow Key
P FAT32 0 1 1 976 254 63 15695442
Directory /.Trash-1000/info
Previous
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 md5sum.txt.trashinfo
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 menu.c32.trashinfo
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 README.diskdefines.trashinfo
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 syslinux.cfg.trashinfo
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 ubnfilel.txt.trashinfo
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 ubninit.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 .disk.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 .Trash-1000.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 #ODC.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 #S17.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 20530.jpg.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 559515_214408882024167_1492052605_n.jpg.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 Cool_guy_antiACTA.jpeg.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 Icon-FistNEHouse.png.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 images.jpeg.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 masks_guy_fawkes_anonymous_V_for_vendetta_black_and_white_logo_poster_www.Vvallpaper.net2.jpg.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 Portland-FistRose-New.png.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 th.jpeg.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 .2.Trash-100
0.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 .2.disk.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 BT5R2-KDE-64.2.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 casper.2.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 ddwrt.2.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 isolinux.2.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 MUSICAS.2.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 #ODC.2.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 preseed.2.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 #S17.2.trashinfo
>-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 vistatables.2.trashinfo
HOLY SHIT! We hit us a lick! lulz all of these are recoverable they are all in White not RED! I also see that Linux has been saved on here
and some other Media
P FAT32 0 1 1 976 254 63 15695442
Directory /.Trash-1000/files
Previous
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 casper.2
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 ddwrt.2
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 isolinux.2
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 MUSICAS.2
drwxr-xr-x 0 0 0 2-Oct-2012 21:20 #ODC.2
drwxr-xr-x 0 0 0 27-Oct-2012 04:24 #S17.2
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 vistatables.2
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 vistatables
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 xptables
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 ldlinux.sys
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 md5sum.txt
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 menu.c32
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 README.diskdefines
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 syslinux.cfg
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 ubnfilel.txt
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 ubninit
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 preseed.2
drwxr-xr-x 0 0 0 2-Oct-2012 21:20 _ODC
drwxr-xr-x 0 0 0 27-Oct-2012 04:24 _S17
-rwxr-xr-x 0 0 24374 12-Oct-2012 18:18 20530.jpg
-rwxr-xr-x 0 0 11227 26-Oct-2012 13:23 559515_214408882024167_1492052605_n.jpg
-rwxr-xr-x 0 0 92508 12-Oct-2012 18:14 Cool_guy_antiACTA.jpeg
-rwxr-xr-x 0 0 26852 11-Oct-2012 15:50 Icon-FistNEHouse.png
-rwxr-xr-x 0 0 4409 11-Oct-2012 15:56 images.jpeg
-rwxr-xr-x 0 0 33717 12-Oct-2012 18:23 masks_guy_fawkes_anonymous_V_for_vendetta_black_and_white_logo_poster_www.Vvallpaper.net2.jpg
-rwxr-xr-x 0 0 100956 11-Oct-2012 15:48 Portland-FistRose-New.png
-rwxr-xr-x 0 0 4456 12-Oct-2012 18:25 th.jpeg
drwxr-xr-x 0 0 0 31-May-2012 00:28 .2.disk
>drwxr-xr-x 0 0 0 27-Oct-2012 00:05 BT5R2-KDE-64.2
Use Left arrow to go back, Right to change directory, h to hide deleted files
q to quit, : to select the current file, a to deselect all files
C to copy the selected files, c to copy the current file
As you can see we moved to Files and we found our Linux Distro Backtrack5R2 and and other Media
we are gonna' hit a to select all & they will hilight Green for Copy and we are gonna' hit c to copy them into a Folder/Dir
of your choice.
Keys: Arrow keys to select another directory
Copying, please wait...
Q to quit
Directory /home/developer/Forensics
>drwxrwxr-x 1000 1000 4096 13-Feb-2013 05:37 .
drwx------ 1000 1000 12288 13-Feb-2013 05:37 ..
there we go we have done an Analysis & recovered Deleted Data from the Stick
I hope this sits well with you there are more interesting things coming from me Happy Hacking!!
Today we will be doing a quick Forensics Analysis on a Blank Flash Drive with a bunch of erased Data
so we will start out using testdisk =>
TestDisk 6.13, Data Recovery Utility, November 2011
Christophe GRENIER
http://www.cgsecurity.org
TestDisk is free data recovery software designed to help recover lost
partitions and/or make non-booting disks bootable again when these symptoms
are caused by faulty software, certain types of viruses or human error.
It can also be used to repair some filesystem errors.
Information gathered during TestDisk use can be recorded for later
review. If you choose to create the text file, testdisk.log , it
will contain TestDisk options, technical information and various
outputs; including any folder/file names TestDisk was used to find and
list onscreen.
Use arrow keys to select, then press Enter key:
>[ Create ] Create a new log file
[ Append ] Append information to log file
[ No Log ] Don't record anything
so Create the new Log File & lets start recovering Data!
TestDisk 6.13, Data Recovery Utility, November 2011
Christophe GRENIER
http://www.cgsecurity.org
TestDisk is free software, and
comes with ABSOLUTELY NO WARRANTY.
Select a media (use Arrow keys, then press Enter):
Disk /dev/sda - 320 GB / 298 GiB - TOSHIBA MK3275GSX
>Disk /dev/sdc - 8036 MB / 7663 MiB - Best Buy Geek Squad
Disk /dev/mapper/cryptswap1 - 10305 MB / 9828 MiB
Disk /dev/mapper/lubuntu-root - 309 GB / 288 GiB
Disk /dev/mapper/lubuntu-swap_1 - 10305 MB / 9828 MiB
Disk /dev/mapper/sda5_crypt - 319 GB / 297 GiB
Disk /dev/dm-0 - 319 GB / 297 GiB
Disk /dev/dm-1 - 309 GB / 288 GiB
Disk /dev/dm-2 - 10305 MB / 9828 MiB
Disk /dev/dm-3 - 10305 MB / 9828 MiB
>[Proceed ] [ Quit ]
Note: Disk capacity must be correctly detected for a successful recovery.
If a disk listed above has incorrect size, check HD jumper settings, BIOS
detection, and install the latest OS patches and disk drivers.
we will select the Flash Drive & Proceed
Disk /dev/sdc - 8036 MB / 7663 MiB - Best Buy Geek Squad
Please select the partition table type, press Enter when done.
[Intel ] Intel/PC partition
[EFI GPT] EFI GPT partition map (Mac i386, some x86_64...)
[Humax ] Humax partition table
[Mac ] Apple partition map
>[None ] Non partitioned media
[Sun ] Sun Solaris partition
[XBox ] XBox partition
[Return ] Return to disk selection
select Non Partitioned Media
Disk /dev/sdc - 8036 MB / 7663 MiB - CHS 977 255 63
>[ Analyse ] Analyse current partition structure and search for lost partitions
[ Advanced ] Filesystem Utils
[ Geometry ] Change disk geometry
[ Options ] Modify options
[ Quit ] Return to disk selection
and we analyse
Disk /dev/sdc - 8036 MB / 7663 MiB - CHS 977 255 63
Current partition structure:
Partition Start End Size in sectors
P Unknown 0 0 1 977 5 51 15695871
>[Quick Search]
Try to locate partition
do a quick search
Disk /dev/sdc - 8036 MB / 7663 MiB - CHS 977 255 63
Partition Start End Size in sectors
>P FAT32 0 1 1 976 254 63 15695442
Structure: Ok.
Keys T: change type, P: list files,
Enter: to continue
FAT32, 8036 MB / 7663 MiB
even though we were not looking for a Partition we found one ! See the >P FAT32 ???
now type p to list the files we found that were not evident when we opened the Drive !!
P FAT32 0 1 1 976 254 63 15695442
Directory /
>-rwxr-xr-x 0 0 0 22-Jan-2013 03:08 test
drwxr-xr-x 0 0 0 31-May-2012 00:28 _ISK~1
-rwxr-xr-x 0 0 11227 26-Oct-2012 13:23 559515_214408882024167_1492052605_n.jpg
drwxr-xr-x 0 0 0 2-Oct-2012 21:20 _ODC
-rwxr-xr-x 0 0 24374 12-Oct-2012 18:18 20530.jpg
-rwxr-xr-x 0 0 92508 12-Oct-2012 18:14 Cool_guy_antiACTA.jpeg
-rwxr-xr-x 0 0 26852 11-Oct-2012 15:50 Icon-FistNEHouse.png
-rwxr-xr-x 0 0 33717 12-Oct-2012 18:23 masks_guy_fawkes_anonymous_V_for_vendetta_black_and_white_logo_poster_www.Vvallpaper.net2.jpg
-rwxr-xr-x 0 0 100956 11-Oct-2012 15:48 Portland-FistRose-New.png
-rwxr-xr-x 0 0 4456 12-Oct-2012 18:25 th.jpeg
drwxr-xr-x 0 0 0 27-Oct-2012 04:24 _S17
drwxr-xr-x 0 0 0 31-May-2012 00:41 vistatables
drwxr-xr-x 0 0 0 12-Jun-2012 12:54 _USICAS
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 .Trash-1000
drwxr-xr-x 0 0 0 13-Jun-2012 15:56 _DWRT
drwxr-xr-x 0 0 4096 26-Jun-2012 19:24 _848169_
drwxr-xr-x 0 0 4096 23-Aug-2012 14:09 _451196_
except for .Trash all of these are RED meaning they were deleted plus they all have Linux File & Directory Permissions by them !?!?
So lets move our Arrow to the .Trash-1000 =>
P FAT32 0 1 1 976 254 63 15695442
Directory /.Trash-1000
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 .
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 ..
>drwxr-xr-x 0 0 0 11-Nov-2012 23:32 info
drwxr-xr-x 0 0 0 11-Nov-2012 23:32 files
We find more Files =>
As shown above move down to the info 3rd line and press your Right Arrow Key
P FAT32 0 1 1 976 254 63 15695442
Directory /.Trash-1000/info
Previous
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 md5sum.txt.trashinfo
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 menu.c32.trashinfo
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 README.diskdefines.trashinfo
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 syslinux.cfg.trashinfo
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 ubnfilel.txt.trashinfo
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 ubninit.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 .disk.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 .Trash-1000.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 #ODC.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 #S17.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 20530.jpg.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 559515_214408882024167_1492052605_n.jpg.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 Cool_guy_antiACTA.jpeg.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 Icon-FistNEHouse.png.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 images.jpeg.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 masks_guy_fawkes_anonymous_V_for_vendetta_black_and_white_logo_poster_www.Vvallpaper.net2.jpg.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 Portland-FistRose-New.png.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 th.jpeg.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:05 .2.Trash-100
0.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 .2.disk.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 BT5R2-KDE-64.2.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 casper.2.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 ddwrt.2.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 isolinux.2.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 MUSICAS.2.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 #ODC.2.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 preseed.2.trashinfo
-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 #S17.2.trashinfo
>-rwxr-xr-x 0 0 0 11-Nov-2012 23:32 vistatables.2.trashinfo
HOLY SHIT! We hit us a lick! lulz all of these are recoverable they are all in White not RED! I also see that Linux has been saved on here
and some other Media
P FAT32 0 1 1 976 254 63 15695442
Directory /.Trash-1000/files
Previous
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 casper.2
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 ddwrt.2
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 isolinux.2
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 MUSICAS.2
drwxr-xr-x 0 0 0 2-Oct-2012 21:20 #ODC.2
drwxr-xr-x 0 0 0 27-Oct-2012 04:24 #S17.2
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 vistatables.2
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 vistatables
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 xptables
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 ldlinux.sys
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 md5sum.txt
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 menu.c32
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 README.diskdefines
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 syslinux.cfg
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 ubnfilel.txt
-rwxr-xr-x 0 0 0 27-Oct-2012 00:05 ubninit
drwxr-xr-x 0 0 0 27-Oct-2012 00:05 preseed.2
drwxr-xr-x 0 0 0 2-Oct-2012 21:20 _ODC
drwxr-xr-x 0 0 0 27-Oct-2012 04:24 _S17
-rwxr-xr-x 0 0 24374 12-Oct-2012 18:18 20530.jpg
-rwxr-xr-x 0 0 11227 26-Oct-2012 13:23 559515_214408882024167_1492052605_n.jpg
-rwxr-xr-x 0 0 92508 12-Oct-2012 18:14 Cool_guy_antiACTA.jpeg
-rwxr-xr-x 0 0 26852 11-Oct-2012 15:50 Icon-FistNEHouse.png
-rwxr-xr-x 0 0 4409 11-Oct-2012 15:56 images.jpeg
-rwxr-xr-x 0 0 33717 12-Oct-2012 18:23 masks_guy_fawkes_anonymous_V_for_vendetta_black_and_white_logo_poster_www.Vvallpaper.net2.jpg
-rwxr-xr-x 0 0 100956 11-Oct-2012 15:48 Portland-FistRose-New.png
-rwxr-xr-x 0 0 4456 12-Oct-2012 18:25 th.jpeg
drwxr-xr-x 0 0 0 31-May-2012 00:28 .2.disk
>drwxr-xr-x 0 0 0 27-Oct-2012 00:05 BT5R2-KDE-64.2
Use Left arrow to go back, Right to change directory, h to hide deleted files
q to quit, : to select the current file, a to deselect all files
C to copy the selected files, c to copy the current file
As you can see we moved to Files and we found our Linux Distro Backtrack5R2 and and other Media
we are gonna' hit a to select all & they will hilight Green for Copy and we are gonna' hit c to copy them into a Folder/Dir
of your choice.
Keys: Arrow keys to select another directory
Copying, please wait...
Q to quit
Directory /home/developer/Forensics
>drwxrwxr-x 1000 1000 4096 13-Feb-2013 05:37 .
drwx------ 1000 1000 12288 13-Feb-2013 05:37 ..
there we go we have done an Analysis & recovered Deleted Data from the Stick
I hope this sits well with you there are more interesting things coming from me Happy Hacking!!
No comments:
Post a Comment