DIY Drive Recovery

OSFMount is the perfect tool for mounting a dd file in Windows and mapping that to a drive letter.  This allows you to run your preferred data recovery tool against a dd file that you have created, using a tool like dd or GNU ddrescue.

Below is an overview of your options with different types of drive images.

Image Format	Read	Write	Mount as RAM drive	Convert to Image file	Extend	Format
Raw Image (.IMG, .DD)
Raw CD Image (.ISO, .BIN)
Split Raw Image (.00n)
Nero Burning ROM Image (.NRG)
System Deployment Image (.SDI)
Advanced Forensics Format Images* (AFF)
Advanced Forensics Format Images w/ meta data* (AFM)
Advanced Forensics Format Directories* (AFD)
VMWare Image (.VMDK)
EnCase EWF (.E01)
SMART EWF (.S01)

While no direct application to data recovery, I like the greater movement in place finding hidden connections between ordinary devices.

Two key finds today in this area:

• SumAll.com website
• The book, Getting Started with the Internet of Things (PDF here) 

I heard about SumAll recently on Leo’s TWiT.  It’s loosely described as “connecting all your services” and has a very intuitive (AND FREE!) tool set for correlating different types of data.

Too early to see what tools like this offer for data recovery, but it’s not hard to imagine the  possibilities.

A friend in forensics today told me that the jobs she’s looking at require a lot of Python, so I found this great article while googling afterwards:  25 Resources for Learning Python and Forensics.

This is just a small collection of the resources that are available if you are interested in learning python. It is not intended to be a comprehensive list of everything available, just enough to get you started. They are not listed in any particular order although I may have saved the best till last 😉

•    The official Python tutorialhttp://docs.python.org/2/tutorial/index.html •    http://www.tutorialspoint.com/python/python_quick_guide.htm 
•    http://www.codeskulptor.org/#examples-tips6.py 

Free Online Classes

•    https://class.coursera.org/interactivepython-2012-001/lecture/index 
•    https://developers.google.com/edu/python/utilities
•    Google Python classes http://www.youtube.com/watch?v=tKTZoB2Vjuk
•    http://www.comp.leeds.ac.uk/nde/papers/teachpy3.html
•    http://www.codecademy.com/tracks/python

Books (free online)

How to think like a computer scientist: http://www.greenteapress.com/thinkpython/thinkCSpy/html/index.html 
Learn Python the Hard Way: http://learnpythonthehardway.org/
Invent with Python: http://inventwithpython.com/
Hacking secret ciphers with Python (from Invent with Python) http://inventwithpython.com/blog/2013/04/15/hacking-secret-ciphers-with-python-released/ 

Books (not free but worthwhile getting)

T.J OConnor Violent Python: http://www.amazon.com/Violent-Python-Cookbook-Penetration-Engineers/dp/1597499579/ 
Justin Seitz Gray Hat Python: Python Programming for Hackers and Reverse Engineers http://www.amazon.com/Gray-Hat-Python-Programming-Engineers/dp/1593271921/ 
John Zelle Python Programming: An introduction to computer science 2nd ed http://www.amazon.com/Python-Programming-Introduction-Computer-Science/dp/1590282418/ 

Forums

http://stackoverflow.com/questions/tagged/python 

Official Documentation

http://docs.python.org/3/library/
http://docs.python.org/3/reference/
http://docs.python.org/3.3/howto/regex.html

Forensics & Python

Willi’s modules: http://williballenthin.com/
The volatility project: http://code.google.com/p/volatility/
Joachim Metz’s libraries: http://code.google.com/p/libyal/ (not all of these are python, but many have python bindings and some are python!)
Dave Nides blog (author of 4n6time); http://davnads.blogspot.com/
Plaso (backend engine for log2timeline): http://code.google.com/p/plaso/
T.J OConnor’s SANS paper Grow Your Own Forensic Tools: A Taxonomy of Python Libraries Helpful for Forensic Analysishttp://www.sans.org/reading_room/whitepapers/incident/grow-forensic-tools-taxonomy-python-libraries-helpful-forensic-analysis_33453

<shameless plug> the course I teach at Champlain College Scripting for Digital Forensics http://www.champlain.edu/computer-forensics/masters-digital-forensics-science/curriculum
and of course the list would not be complete without a cheat sheet

Here is a great blog post about other tools that can give you a different view of what might be missing on a hard drive.

In reality, these tools might be a little much for most quick and dirty recovery jobs.

But fls can be invaluable for simply showing which files were recently deleted.

Ever have a .dd or .img image and need to inspect the contents for what exactly is inside?  While you could mount the image and then look at the raw files, doing so doesn’t tell you the starting sector or gaps in the layout.

MMLS, part of the Sleuth Toolkit, does just that.

On the project page, there are three great partition examples — DOS, BSD, and Mac.

This is GREAT for looking for hidden data. 🙂

Need to recover multiple hard drives at once on one system?  VMware’s ESXi is not only free, but allows you to map more than one hard drive to dedicated virtual machines.

Here is an overview of what’s supported on ESXi.

Taking forever for ddrescue (or dd_rescue) to run?  Well, why not focus on the good parts of the hard drive first and then worry about the bad sectors afterwards?

dd_rhelp does just this.

More information can be found here:

dd_rhelp is a bash script that handles a very usefull program written
in C by Kurt Garloff which is called dd_rescue, it roughly act as the
dd linux command with the characteristic to NOT stop when it falls on
read/write errors.

This makes dd_rescue the best tool for recovering hard drive having
bad sectors.

Here is a working  example of the program

Some great web pages on the differences between ddrescue and dd_rescue

• http://askubuntu.com/questions/211578/whats-the-difference-between-ddrescue-gddrescue-and-dd-rescue
• http://www.garloff.de/kurt/linux/ddrescue/
• http://www.gnu.org/software/ddrescue/ddrescue.html
• http://ubuntu-rescue-remix.org/node/51
• http://www.redhat.com/archives/fedora-extras-list/2005-June/msg00782.html

A great overview on how SpinRite works.

(Download the PDF)