Posts Tagged ‘sata’


Carve and Sift: My Primer to Linux Computer Forensics

The Deft Linux Desktop

The Deft Linux Desktop

Actually, the title is a bit of a misnomer. I’d already learned a bit about computer forensics and the process of recovering files on Windows operating systems some years ago. I had pulled a lot of lost data from a machine that had unexpectedly quit working, saving a lot of customer data for a person who, for the sake of their employment, shall remain anonymous.

However, the method I went about it could hardly be called “forensics” as I had to install some software to a USB and I still had to boot into the OS. I did a lot of writing to the disk (a forensics no-no) and not much was really preserved intact, but I did manage to save what needed to be saved. It really didn’t feel like I had done anything that would be useful to, say, a crime lab.

Deft Linux


The cyClone menu system is pretty clear and can produce either raw or compressed image files with SHA1 or MD5 hashes.

A few weeks ago I was asked if I could perform such a task on a newer Windows 7 laptop, one with a terabyte hard drive, resurrecting some home videos and photos that had been deleted. I jumped at the chance for three reasons: First, these files were of special importance to this person, as one of the family members had died recently and had failed to back them up. Secondly, this gave me a chance to try out the new Deft Linux package on a computer that I could actively see if it was successful. Lastly, the data was relatively nonvolatile. If I accidently wiped it, then no one was getting fired.

I downloaded and burned Deft Linux 7 onto a DVD and got to work. Deft is a Live Disc, meaning that the OS loads from the DVD rather than a hard disk, and is largely based on Ubuntu. The Deft Distro itself is an amalgamation of both Linux and Windows software (through WinE) put together by some people in Italy. It has an English version, and is just about as all-inclusive as you can get with the Linux tools. It also is set up not to mount any drives until you tell it to, and even then you can specify to mount as read-only or full access.

After looking through the impressive and useful manual on their website, I concluded that the pieces of software that I was going to use for the job were cyClone, Foremost and Scalpel. Luckily, there is a GUI front-end for the latter and a menu-driven command-line interface for the former. This was just about as simple as it could get.


After you carve, you'll want to sift through the image file to see what you can find and/or "resurrect".

After the carve you’ll have a dd image file (raw) and a log telling you how long it took and if it passed the SHA1/MD5 verification check.

The first step in getting the data off of a drive is to Carve it. That is to say, you “carve” out the piece of the drive you want to look at and put it somewhere else, some place that ideally has more space or maybe more computing power. In my case, I didn’t have the time, nor interest, in installing the software on my Linux boxes, so I just carved and set it aside.

Also, I wasn’t particularly interested in the entire drive, as they only really used the first 200GB of the 750GB that had been allotted them on the main C: drive. It would have been too time consuming and not revealed much to look at the last ~550GB of it. So, I carved only the first 200GB and placed it on one of the SATA drives that I had made in a previous project. If you want to get really fancy, you can run the command-line dcfldd which is the US Department of Computer Defence Forensics Lab’s enhanced version of the dd command.


After you carve, you’ll want to sift through the image file to see what you can find and/or “resurrect”.

Remember before when I said that Deft didn’t mount the drive and you could select to mount as Read Only or Full Access? The reason for this is that data is written to the disk when they are mounted in Full Access mode which is default for almost every OS out there. If we’re police investigators trying to get clues about what’s on a computer, we certainly don’t want to taint the crime scene by scribbling all over it. Mounting a partition in read-only mode prevents the us or the OS from accidently doing just that.


Sifting is mostly hit-and-miss, with the emphasis on the miss. It also takes quite a long while, depending on the size of the image.

Sifting is mostly hit-and-miss, with the emphasis on the miss. It also takes quite a long while, depending on the size of the image.

This is the part that takes the longest. Now that we have our cloned drive, we need to go through it and pull out all of the files we need and organize them. There are many ways to do this, but the easiest in Deft is to use the Hunchback GUI. This is a GUI front-end for for the scalpel and foremost command-line pieces. Options in Hunchback aren’t as robust as they are from the command-line, which is usually the case, but they were good enough for us.

I selected all the picture and video types, ignoring things like PDFs or EXEs. Then I pointed to another external drive (from a previous project) and told it to drop all the files that it found in that folder and arrange them by type. The software creates folders for each one and copies what it can accordingly.

Once that was done, I re-mounted the internal 750GB drive with full access, dropped the files I had sifted onto it, and I was done. Now, they could look through the files at their leisure (tens of thousands) and get their deleted files back.

A Further Word

This above, while definitely not a how-to, is a very simple way of getting data off of a Windows or other OS’s drive without disturbing the contents. You could even stop at the image stage and take it with you to sift later. It is an EXACT copy of the drive, deleted files and all.

Deft also contains a gargantuan number of other useful tools for doing things besides straight computer forensics. It also has utilities for network forensics, encryption study and more. If you’ve ever been interested in Computer or Network forensics, then Deft is a must have. It’s definitely tool number one on my belt for this kind of work.

-CJ Julius


Bitcoins, Mobile Digital Vaults and Google Fiber (2013.04.26)


As this blog is an ongoing venture, occasionally I will want to update previous entries or projects. New information is gathered, projects evolve and, in general, things change. Also, I’ve found that updates don’t work so well on old posts because few people bookmark them and then come back later. To combat this, every once in a while I will be giving updates in rapid fire about previous entries. Those posts will be automatically updated via “pingback” in the comments section, so if you actually do bookmark them, then you’ll get notified that way.

Without further ado:



Even the experts don’t know if Bitcoin is economically viable.

On April 11, 2013, Bitcoin Exchange Halted Trades in order to bring down the price of the coins. They also released a statement denying the bubble and assuring everyone that it was a solid currency. Whether it is or not remains to be seen as it has had its share of detractors and the largest U.S. exchange shut down following the big hype. As stated in my previous post, no matter how it turns out, it’s a fascinating convergence of technology and economics, much in line with the computerized traders on the stock market today. While I’m still extremely skeptical, I’m secretly rooting for an all-digital currency.

Mobile Digital Vaults

DiskInternals Linux Reader

A little cumbersome, but you can read your EXT drives.

My last project involved taking an old 500GB SATA drive, using TrueCrypt and a snazzy drive enclosure to turn it into a mobile digital vault. This was largely successful, although I could not get Windows to format a large enough partition for some reason. This led to me formatting the virtual drive into EXT4, which meant that I could not read it on Windows. I don’t use Windows that much, so that was not a big deal, however I wanted to see if I could find a method that would let me do so.

The blue light on the front show drive access.

The blue light on the front indicates drive access.

I mentioned that I used a piece of software called EXT2READ which I found out later did not work. When I tested it prior to writing the article, I found that I was able to read the drive, though some days after when I tried to copy a .DOCX file from an EXT3 partition to my NTFS Windows drive, the file was corrupted and unreadable. So, I tried another piece of software by DiskInternals to read EXT2/3/4 drives and it worked flawlessly, seeing the newly mounted TrueCrypt drive and letting me access it.

Also, I got another drive enclosure, the Nexstar3 by Vantec to house another 250GB SATA drive. The only major difference between the two is that the NexStar3 does not have a fan built in thus making it significantly smaller. It also requires two different sized screwdrivers to get your drive in, which I thought was odd, but otherwise it seems to be a solid piece of equipment. This drive is a little more “mobile” than the other so I’ve moved all of my encrypted drives that I want to take with me over to this one making the Rosewill enclosure largely stationary on my desktop.

Google Fiber

Google Fiber is stirring up some dust in Austin

Google Fiber is stirring up some dust in Austin

AT&T is feeling threatened by Google Fiber and has launched a counter-offensive aimed at bringing fiber to mainstream consumers in Austin. Some have argued that this is just posturing, but that they even bothered to acknowledge Google’s plans means that they’re taking the move towards a fiber infrastructure seriously to some degree. On the heals of this announcement came Time Warner Cable’s decision to wire Austin for WiFi. Austin Texas is going to be one of the most internet-connected cities in the U.S. at this rate.

Again, as I said in the last post, there is no bad news.

Future Projects

I have several new projects lined up for the next month, a few which are already underway. First of all, I need to take a 1TB (terabyte) hard drive and resurrect some files that got deleted from it. I will probably be using Deft Linux for this, which should be interesting. I’ve only “carved and sifted” once before.

Also, I got my Raspberry Pi up and going, which was interesting in and of itself, but I’m thinking that I’ll drop Wheezy and move toward XBMC. I had hoped to stream video from my Windows shared drive and onto my TV. We’ll see how that goes.

Lastly, I want to do a longer Wednesday post about Security on the Internet. The utilities I use to keep myself secure might be interesting to others out there. The use of VPNs, two step authentication and software to obscure passwords will be some of the pieces I’ll touch upon.

-CJ Julius