diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md index 38cdef28a..777a2c6af 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/partitions-file-systems-carving/file-data-carving-recovery-tools.md @@ -8,80 +8,133 @@ Zana zaidi zinapatikana katika [https://github.com/Claudio-C/awesome-datarecover ### Autopsy -Zana inayotumika sana katika uchunguzi wa forensics kutoa faili kutoka kwa picha ni [**Autopsy**](https://www.autopsy.com/download/). Pakua, sakinisha na fanya iweze kuchukua faili ili kupata faili "zilizofichwa". Kumbuka kwamba Autopsy imejengwa kusaidia picha za diski na aina nyingine za picha, lakini si faili rahisi. +Zana inayotumika sana katika uchunguzi wa kidijitali kutoa faili kutoka kwa picha ni [**Autopsy**](https://www.autopsy.com/download/). Pakua, sakinisha na fanya iweze kuchukua faili ili kupata faili "zilizofichwa". Kumbuka kwamba Autopsy imejengwa kusaidia picha za diski na aina nyingine za picha, lakini si faili rahisi. +> **2024-2025 sasisho** – Toleo **4.21** (lililotolewa Februari 2025) limeongeza moduli mpya ya **carving iliyojengwa upya kulingana na SleuthKit v4.13** ambayo ni ya haraka zaidi inaposhughulikia picha za multi-terabyte na inasaidia utoaji wa sambamba kwenye mifumo ya multi-core.¹ Wrapper ndogo ya CLI (`autopsycli ingest `) pia ilianzishwa, ikifanya iwezekane kuandika carving ndani ya mazingira ya CI/CD au maabara makubwa. +```bash +# Create a case and ingest an evidence image from the CLI (Autopsy ≥4.21) +autopsycli case --create MyCase --base /cases +# ingest with the default ingest profile (includes data-carve module) +autopsycli ingest MyCase /evidence/disk01.E01 --threads 8 +``` ### Binwalk -**Binwalk** ni zana ya kuchambua faili za binary ili kupata maudhui yaliyojumuishwa. Inaweza kusakinishwa kupitia `apt` na chanzo chake kiko kwenye [GitHub](https://github.com/ReFirmLabs/binwalk). +**Binwalk** ni chombo cha kuchambua faili za binary ili kupata maudhui yaliyojumuishwa. Inaweza kusakinishwa kupitia `apt` na chanzo chake kiko kwenye [GitHub](https://github.com/ReFirmLabs/binwalk). **Amri muhimu**: ```bash -sudo apt install binwalk #Insllation -binwalk file #Displays the embedded data in the given file -binwalk -e file #Displays and extracts some files from the given file -binwalk --dd ".*" file #Displays and extracts all files from the given file +sudo apt install binwalk # Installation +binwalk firmware.bin # Display embedded data +binwalk -e firmware.bin # Extract recognised objects (safe-default) +binwalk --dd " .* " firmware.bin # Extract *everything* (use with care) ``` +⚠️ **Kumbuka Usalama** – Matoleo **≤2.3.3** yanakabiliwa na udhaifu wa **Path Traversal** (CVE-2022-4510). Pandisha (au tengeneza mazingira na kontena/UID isiyo na mamlaka) kabla ya kuchonga sampuli zisizoaminika. + ### Foremost -Chombo kingine cha kawaida cha kutafuta faili zilizofichwa ni **foremost**. Unaweza kupata faili ya usanidi ya foremost katika `/etc/foremost.conf`. Ikiwa unataka tu kutafuta faili fulani, ondoa alama ya maoni. Ikiwa huondoi alama ya maoni, foremost itatafuta aina zake za faili zilizowekwa kama chaguo-msingi. +Chombo kingine cha kawaida cha kutafuta faili zilizofichwa ni **foremost**. Unaweza kupata faili ya usanidi ya foremost katika `/etc/foremost.conf`. Ikiwa unataka tu kutafuta faili fulani, ondoa alama ya maoni. Ikiwa hutaondoa alama ya maoni, foremost itatafuta aina zake za faili zilizopangwa kwa default. ```bash sudo apt-get install foremost foremost -v -i file.img -o output -#Discovered files will appear inside the folder "output" +# Discovered files will appear inside the folder "output" ``` ### **Scalpel** -**Scalpel** ni chombo kingine ambacho kinaweza kutumika kupata na kutoa **faili zilizojumuishwa katika faili**. Katika kesi hii, utahitaji kuondoa maoni kutoka kwa faili ya usanidi (_/etc/scalpel/scalpel.conf_) aina za faili unazotaka ikatoe. +**Scalpel** ni chombo kingine ambacho kinaweza kutumika kupata na kutoa **faili zilizojumuishwa ndani ya faili**. Katika kesi hii, utahitaji kuondoa maoni kutoka kwa faili ya usanidi (_/etc/scalpel/scalpel.conf_) aina za faili unazotaka ikatoe. ```bash sudo apt-get install scalpel scalpel file.img -o output ``` -### Bulk Extractor +### Bulk Extractor 2.x -Chombo hiki kinapatikana ndani ya kali lakini unaweza kukipata hapa: [https://github.com/simsong/bulk_extractor](https://github.com/simsong/bulk_extractor) +Zana hii inapatikana ndani ya kali lakini unaweza kuipata hapa: -Chombo hiki kinaweza kuskan picha na **kutoa pcaps** ndani yake, **taarifa za mtandao (URLs, domains, IPs, MACs, mails)** na zaidi **faili**. Unachohitaji kufanya ni: +Bulk Extractor inaweza kuskan picha ya ushahidi na kuchonga **pcap fragments**, **vitu vya mtandao (URLs, domains, IPs, MACs, e-mails)** na vitu vingine vingi **kwa pamoja kwa kutumia skana nyingi**. +```bash +# Build from source – v2.1.1 (April 2024) requires cmake ≥3.16 +git clone https://github.com/simsong/bulk_extractor.git && cd bulk_extractor +mkdir build && cd build && cmake .. && make -j$(nproc) && sudo make install + +# Run every scanner, carve JPEGs aggressively and generate a bodyfile +bulk_extractor -o out_folder -S jpeg_carve_mode=2 -S write_bodyfile=y /evidence/disk.img ``` -bulk_extractor memory.img -o out_folder -``` -Navigate through **habari zote** that the tool has gathered (passwords?), **chambua** the **paket** (read[ **Pcaps analysis**](../pcap-inspection/index.html)), search for **domeni za ajabu** (domains related to **malware** or **zisizokuwepo**). +Useful post-processing scripts (`bulk_diff`, `bulk_extractor_reader.py`) zinaweza kuondoa nakala za artefacts kati ya picha mbili au kubadilisha matokeo kuwa JSON kwa ajili ya upokeaji wa SIEM. ### PhotoRec -You can find it in [https://www.cgsecurity.org/wiki/TestDisk_Download](https://www.cgsecurity.org/wiki/TestDisk_Download) +Unaweza kuipata katika -It comes with GUI and CLI versions. You can select the **aina za faili** you want PhotoRec to search for. +Inakuja na toleo la GUI na CLI. Unaweza kuchagua **aina za faili** unazotaka PhotoRec itafute. ![](<../../../images/image (242).png>) +### ddrescue + ddrescueview (kuunda picha za diski zinazoshindwa) + +Wakati diski ya kimwili haiko imara, ni bora kufanya **picha yake kwanza** na kisha kutumia zana za carving dhidi ya picha hiyo. `ddrescue` (mradi wa GNU) inazingatia kunakili diski mbovu kwa uaminifu huku ikihifadhi kumbukumbu ya sehemu zisizoweza kusomwa. +```bash +sudo apt install gddrescue ddrescueview # On Debian-based systems +# First pass – try to get as much data as possible without retries +sudo ddrescue -f -n /dev/sdX suspect.img suspect.log +# Second pass – aggressive, 3 retries on the remaining bad areas +sudo ddrescue -d -r3 /dev/sdX suspect.img suspect.log + +# Visualise the status map (green=good, red=bad) +ddrescueview suspect.log +``` +Version **1.28** (Desemba 2024) ilianzisha **`--cluster-size`** ambayo inaweza kuongeza kasi ya picha za SSD zenye uwezo mkubwa ambapo saizi za sekta za jadi hazifanani tena na vizuizi vya flash. + +### Extundelete / Ext4magic (EXT 3/4 undelete) + +Ikiwa mfumo wa faili wa chanzo ni wa Linux EXT, unaweza kuwa na uwezo wa kurejesha faili zilizofutwa hivi karibuni **bila kuchonga kabisa**. Zana zote mbili zinafanya kazi moja kwa moja kwenye picha isiyoandikwa: +```bash +# Attempt journal-based undelete (metadata must still be present) +extundelete disk.img --restore-all + +# Fallback to full directory scan; supports extents and inline data +ext4magic disk.img -M -f '*.jpg' -d ./recovered +``` +> 🛈 Ikiwa mfumo wa faili ulitolewa baada ya kufutwa, vizuizi vya data vinaweza kuwa vimekwishatumika tena - katika kesi hiyo, kuchora vizuri (Foremost/Scalpel) bado kunahitajika. + ### binvis -Check the [code](https://code.google.com/archive/p/binvis/) and the [web page tool](https://binvis.io/#/). +Angalia [code](https://code.google.com/archive/p/binvis/) na [web page tool](https://binvis.io/#/). -#### Features of BinVis +#### Vipengele vya BinVis -- Visual and active **muonekano wa muundo** -- Multiple plots for different focus points -- Focusing on portions of a sample -- **Kuona stings na rasilimali**, in PE or ELF executables e. g. -- Getting **mifumo** for cryptanalysis on files -- **Kugundua** packer or encoder algorithms -- **Tambua** Steganography by patterns -- **Visual** binary-diffing +- Mtazamaji wa **muundo** wa kuona na wa kazi +- Njia nyingi za kuzingatia maeneo tofauti +- Kuangazia sehemu za sampuli +- **Kuona stings na rasilimali**, katika PE au ELF executable n.k. +- Kupata **mifumo** ya uchambuzi wa kificho kwenye faili +- **Kugundua** algorithms za pakka au encoder +- **Tambua** Steganography kwa mifumo +- **Kiona** tofauti za binary -BinVis is a great **nukta ya kuanzia kujifunza kuhusu lengo lisilojulikana** in a black-boxing scenario. +BinVis ni **nukta ya kuanzia nzuri ili kufahamiana na lengo lisilojulikana** katika hali ya black-boxing. -## Specific Data Carving Tools +## Zana Maalum za Kuchora Data ### FindAES -Searches for AES keys by searching for their key schedules. Able to find 128. 192, and 256 bit keys, such as those used by TrueCrypt and BitLocker. +Inatafuta funguo za AES kwa kutafuta ratiba zao za funguo. Inaweza kupata funguo za 128, 192, na 256 bit, kama zile zinazotumiwa na TrueCrypt na BitLocker. -Download [hapa](https://sourceforge.net/projects/findaes/). +Pakua [hapa](https://sourceforge.net/projects/findaes/). -## Complementary tools +### YARA-X (kuangalia artefacts zilizochorwa) -You can use [**viu** ](https://github.com/atanunq/viu)to see images from the terminal.\ -You can use the linux command line tool **pdftotext** to transform a pdf into text and read it. +[YARA-X](https://github.com/VirusTotal/yara-x) ni upya wa YARA ulioandikwa kwa Rust ulioachiliwa mwaka 2024. Ni **10-30× haraka** kuliko YARA ya jadi na inaweza kutumika kuainisha maelfu ya vitu vilivyopatikana haraka sana: +```bash +# Scan every carved object produced by bulk_extractor +yarax -r rules/index.yar out_folder/ --threads 8 --print-meta +``` +Kuongeza kasi kunafanya iwe halisi **auto-tag** faili zote zilizokatwa katika uchunguzi wa kiwango kikubwa. +## Zana za nyongeza + +Unaweza kutumia [**viu** ](https://github.com/atanunq/viu)kuona picha kutoka kwenye terminal. \ +Unaweza kutumia zana ya mistari ya amri ya linux **pdftotext** kubadilisha pdf kuwa maandiko na kuisoma. + +## Marejeleo + +1. Maelezo ya kutolewa kwa Autopsy 4.21 – {{#include ../../../banners/hacktricks-training.md}}