Recently, I was asked to if I could recover all images from a hard disk drive that could be linked to a specific digital camera. In this case, the EXIF data contained the make, model and serial number of the camera in question. Using some simple command fu, I was able to quickly recover all of the images. I could have used GUI tools, but I believe in keeping my command line skills polished so I try to use them as much as I can.
Here's how I did it. For the sake of demonstration, I'm using the ipcase_ntfs.img from SANS Security 508: Computer Forensics, Investigation and Response, but the concepts are the same for any hard drive image.
To begin with, extract the strings from the image as follows:
strings --radix=d image_file > image_strings.txt
Using the "--radix=d" causes the "strings" command to include the byte offset in decimal where the given string occurs in the "image_file".
Next I "grep" ped out all the lines matching the camera's serial number. For this demonstration, I'll pull out each line of the strings file that contains a reference to "exif" as follows:
grep -i exif image_strings.txt > hits_exif.txt
Here is a screen shot of the resulting "hits_exif.txt" file:
From here we can craft a single compound command line statement that will recover each file containing EXIF data and verify that the files recovered are image files. Here it is:
for k in $(for i in $(awk '{print $1}' hits_exif.txt); do declare j=$i/4096; ifind ipcase_ntfs.img -d $j; done | sort | uniq); do icat ipcase_ntfs.img $k > $k; file $k; done
The standard out for this command is:
.jpg)
Let's break this command down working from the inside out, the inner "for" loop takes the decimal offset value for each hit in the "hits_exif.txt" file and divides it by 4096 which is the cluster size for our file system image. We found this out earlier in our investigation by running "fsstat" against the "ipcase_ntfs.img" file.
The quotient from this calculation corresponds to the cluster offset in the file system where the hit occurred. We feed this offset to the "ifind" command using the "-d" option, this gives us the MFT entry that points to that particular cluster. Next we pipe the MFT entries to the "sort" and "uniq" commands. The resulting unique MFT entries are passed as arguments to the "icat" command which recovers the data at the given MFT entry by writing it to a file of the same name. Finally, the "file" command is run against each newly created file and the results are printed to standard out. According to "file" all but one of the newly created files are "jpeg" images.
That's it. With very little practice you will be stringing together command line statements that will optimize the processing of forensic images. Give it a try, you'll be surprised at just how effective and efficient you can be with a little command line fu.
Dave Hull, GCFA Silver #3368, is an aspiring maker and technologist specializing in information security. He is the principal consultant and founder of Trusted Signal.
.png "Finding_Evil_WMI_Event_Consumers_with_Disk_Forensics_-Blog_(1).png")
.png "Blog_teaser_images_(19).png")
