Recovering Photos With PhotoRec

November 12, 2008 by Eliot 17 Comments

photorec

A coworker approached us today with a corrupted SD card. It was out of her digital camera, and when plugged in, it wasn’t recognized. This looked like the perfect opportunity to try out [Christophe Grenier]’s PhotoRec. PhotoRec is designed to recover lost files from many different types of storage media. We used it from the command line on OSX, but it works on many different platforms.

It’s a fairly simple program to use. We plugged in the card and launched PhotoRec. We were prompted to select which volume we wanted to recover. We selected “Intel” as the partition table. PhotoRec didn’t find any partitions, so we opted to search the “Whole disk”. We kept the default filetypes. It then asked for filesystem type where we chose “Other” because flash is formatted FAT by default. We then chose a directory for the recovered files and started the process. PhotoRec scans the entire disk looking for known file headers. It uses these to find the lost image data. The 1GB card took approximately 15 minutes to scan and recovered all photos. This is really a great piece of free software, but hopefully you’ll never have to use it.

Helix V2.0 Released

October 2, 2008 by Caleb Kraft 20 Comments

Helix 2.0 has been released. Helix is a collection of various tools for electronic forensics. Just like on TV, you can use this to find all kinds of information on a computer. Some of the useful tools added were Winlockpwn a tool for breaking windows security, Volitility which processes data out of the raw memory, and several other tools that are beyond our comprehension.

You’ve undoubtedly noticed that the title says Helix V2.0, but the image and header of the Helix site say 3. We have no idea why. Look at the download info to see that it says V2.0.

[Via Midnight Research labs]

IPhone Screengrab Issues

September 13, 2008 by Eliot 8 Comments

This is unfortunately another story we missed out on while we were trying to keep things from burning down. We told you that [Jonathan Zdziarski] was going to demonstrate iPhone lock code bypassing in a webcast. The real surprise came when he pointed out that the iPhone takes a screenshot every time you use the home button. It does this so it can do the scaling animation. The image files are presumably deleted immediately, but as we’ve seen before it’s nearly impossible to guarantee deletion on a solid state device. There’s currently no way to disable this behavior. So, even privacy conscious people have no way to prevent their iPhone from filling up storage with screenshots of all their text message, email, and browsing activities. Hopefully Apple will address this problem just like they did with the previous secure erase issue. O’Reilly promises to publish the full webcast soon.

[via Gizmodo]

IPhone 2.0 Adds Secure Wipe

June 25, 2008 by Eliot 6 Comments

AppleInsider is reporting that iPhone Software v2.0 will add a secure wipe feature. The screenshot above shows the text “This will take about an hour.” added to the normal erase feature. This time is used to overwrite data to the disk multiple times. The need for secure phone erasure came to light after a researcher was able to recover personal information from a refurbished iPhone using forensic tools. Since then, a few people have published techniques for obliterating personal data using either the GUI or the more thorough command line method. Remote wipe has also been added to the new firmware in case the phone is stolen. We’re happy to see security being made easily accessible to nontechnical users and expect that remote wipe will become standard on laptops in the future.

Open Source Data Recovery Tools

June 24, 2008 by Eliot 6 Comments

InformationWeek has great article on open source data recovery tools. What type of tools you use will depend on the severity of the situation. You can use live Linux distros designed for recovery like SystemRescueCD or Partedmagic (the latter being more user friendly). Security tools distrubutions like BackTrack can also be helpful; Helix in particular was designed for forensics work. dd is a standard *nix tool for imaging drives, but something like TestDisk can help you repair partition tables for whole disk recovery. Most deletion operations don’t overwrite the data which means you can use file carving to capture the lost files. PhotoRec is able to find files in a number of common formats. Finally, if you’ve got some serious forensic work ahead of you there’s The Sleuth Kit and many other command line tools.

As an addendum, OStatic put together a list of 5 freeware tools for protecting your system.

Data Recovery Tools

June 11, 2008 by Juan Aguilar 9 Comments

In your zeal to delete your data, you may have accidentally deleted files that you wanted to keep. Lifehacker has posted this handy list of data recovery tools to help you get those files back.

As you may know, whenever you delete a file, the only thing that changes is the file system. The data of the deleted file is still on the hard drive, but the file system sees the space containing the file as “blank” writable space. Data recovery software typically looks into the directory where the file was stored and scans it, finding any files not listed in the file system.

The program you choose for this task will not only be determined by your OS, but also by the specifics of your recovery needs. Do you need to recover a single file? Many files? A whole hard drive? An unbootable drive? A really scratched optical disk? Specialized tools for all of these needs are available, and this article will help you find the right program for yours.

Erase An IPhone Properly

May 20, 2008 by Eliot 14 Comments

A fundamental problem with flash memory has just gone mainstream. A detective successfully recovered data from a refurbished iPhone purchased from Apple. Flash memory controllers write to blocks randomly so using standard secure erase techniques are no guarantee that all of the storage space will be written.

[Rich Mogull] has posted a method that should wipe out almost all remnants of your personal data. You start by restoring the iPhone in iTunes and turning off all the syncing options. Next you create 3 playlists large enough to consume all of the phone’s storage space. Sync each playlist in turn and your residual personal data should be obliterated. All that’s left to do is sit back and wonder when the first article about the MacBook Air SSD being impossible to securely erase will be published…