Tools for reconstructing deleted data
The Sleuth Kit
One of the most powerful tool collections for forensic work is The Sleuth Kit (TSK) [12], which has been under continuous development for several years. The developer, Brian Carrier, also has a graphical front end called Autopsy [13]. However, the latest version 4.4.1 is only available as a Windows package. To use Autopsy with Linux, you must build it from the source code, which poses massive problems because of partly missing, partly incorrectly designated dependencies.
Because TSK is intended as a command-line tool for users who perform professional data analysis and forensic work, the tool collection is also suitable for many tasks beyond the actual reconstruction of data.
The tools can be found in the software repositories of all the major Linux distributions, as well as in many Live systems with a focus on IT security and data maintenance [14]. TSK includes many tools for data analysis and reconstruction; the individual modules collect a variety of information and take metadata, the filesystem, object names, journals, and data blocks into account.
As supported filesystems, the documentation refers to ISO-9660, standard FAT variants, NTFS, ext2/3/4, and the UFS1 and UFS2 filesystems used by several Unix derivatives. Because of the many parameters, TSK requires a longer training period and therefore is less suitable for occasional data recovery. The fls
and tsk_recover
commands are useful for simple data reconstruction; TSK expects to work on an image generated from the original file as a template, so that it does not destroy reconstructible content by means of accidental write processes on the original disk.
To reconstruct some data on a USB memory stick, first create an image of the damaged drive by using the dd
Linux command; the content can then be displayed with the fls <imagefile>
command. Files with an asterisk are deleted.
The inode number, which is also listed, then lets you reconstruct a file as follows:
istat <imagefile> <inode_number>
and
icat <imagefile> <inode_number> > <filename>
tsk_recover
also relies on other TSK modules when localizing and recovering deleted data; for example, it recovers all files of an image using the
tsk_recover -e <imagefile> <target_directory>
command sequence. These then end up in subdirectories. The -v
option in the command sequence also outputs details to the screen (Figure 8).
Conclusions
All tested programs are up to the task of reconstructing accidentally deleted data or content from corrupted disks (see also the "Not Included" box). However, the approaches to restoring the data differ significantly: Whereas TSK is suitable for professional forensic applications by providing a variety of parameters, at the other end of the spectrum, Foremost and Magic Rescue are easy to use and provide rapid results.
Not Included
This test did not include the Scalpel [15] file carver. Although it provides functionality similar to Foremost, it only supports a few filesystems, which is not optimal, especially in environments with many different operating systems.
I also did not cover ddrescue
[16]. Although the software is very well documented, it was not convincing during a practical test on larger drives with a large amount of lost data and a corrupted partitions table. Because ddrescue
scans the disk several times, depending on the severity of the damage, an attempt to reconstruct the data can take several hours for USB memory sticks of just a few gigabytes. It was also impossible to repair disks that exhibited pronounced fragmentation of residual data as a result of overwriting in a reasonable amount of time.
Anyone who needs professional data reconstruction across an intranet might be interested in the commercial R-Studio. Although the software is not as good as TSK when it comes to court-proof documentation of forensic investigations, its ability to restore lost files outshines PhotoRec and TestDisk.
PhotoRec is well suited for occasional use in multiformat databases, because it provides the most extensive format support.
When it comes to finding a suitable solution, you should first determine your needs before choosing one of these programs for data recovery
Infos
- Backup survey: https://www.backblaze.com/blog/data-backup-survey/
- dcfldd: http://dcfldd.sourceforge.net
- PhotoRec: http://www.cgsecurity.org/wiki/PhotoRec
- TestDisk: http://www.cgsecurity.org/wiki/TestDisk_Download
- PhotoRec supported file formats: http://www.cgsecurity.org/wiki/File_Formats_Recovered_By_PhotoRec
- List of Live systems with TestDisk: http://www.cgsecurity.org/wiki/TestDisk_Livecd
- Magic Rescue: http://freecode.com/projects/magicrescue
- R-Studio: http://www.r-studio.com
- R-Studio online store: http://www.r-tt.com/BuyOnLine.shtml
- Downloading the agent: http://www.r-studio.com/data_recovery_linux/Download.shtml
- Foremost: http://foremost.sourceforge.net
- TSK: https://www.sleuthkit.org
- Autopsy: https://www.sleuthkit.org/autopsy/
- List of distributions and tools with TSK or Autopsy: http://wiki.sleuthkit.org/index.php?title=Tools_Using_TSK_or_Autopsy
- Scalpel: https://sourceforge.net/projects/scalpel/
- ddrescue: https://www.gnu.org/software/ddrescue/
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
![Learn More](https://www.linux-magazine.com/var/linux_magazin/storage/images/media/linux-magazine-eng-us/images/misc/learn-more/834592-1-eng-US/Learn-More_medium.png)
News
-
NVIDIA Released Driver for Upcoming NVIDIA 560 GPU for Linux
Not only has NVIDIA released the driver for its upcoming CPU series, it's the first release that defaults to using open-source GPU kernel modules.
-
OpenMandriva Lx 24.07 Released
If you’re into rolling release Linux distributions, OpenMandriva ROME has a new snapshot with a new kernel.
-
Kernel 6.10 Available for General Usage
Linus Torvalds has released the 6.10 kernel and it includes significant performance increases for Intel Core hybrid systems and more.
-
TUXEDO Computers Releases InfinityBook Pro 14 Gen9 Laptop
Sporting either AMD or Intel CPUs, the TUXEDO InfinityBook Pro 14 is an extremely compact, lightweight, sturdy powerhouse.
-
Google Extends Support for Linux Kernels Used for Android
Because the LTS Linux kernel releases are so important to Android, Google has decided to extend the support period beyond that offered by the kernel development team.
-
Linux Mint 22 Stable Delayed
If you're anxious about getting your hands on the stable release of Linux Mint 22, it looks as if you're going to have to wait a bit longer.
-
Nitrux 3.5.1 Available for Install
The latest version of the immutable, systemd-free distribution includes an updated kernel and NVIDIA driver.
-
Debian 12.6 Released with Plenty of Bug Fixes and Updates
The sixth update to Debian "Bookworm" is all about security mitigations and making adjustments for some "serious problems."
-
Canonical Offers 12-Year LTS for Open Source Docker Images
Canonical is expanding its LTS offering to reach beyond the DEB packages with a new distro-less Docker image.
-
Plasma Desktop 6.1 Released with Several Enhancements
If you're a fan of Plasma Desktop, you should be excited about this new point release.