How do i Extract a ...
 
Notifications
Clear all

How do i Extract a jpg from an unallocated directory

8 Posts
4 Users
0 Likes
886 Views
(@lukasrijn)
Posts: 2
New Member
Topic starter
 

I have a project for school, a phishing case we need to solve. We got a laptop from which we extracted an E01 image. After analysing the image in autopsy, i came across an unallocated directory. But because of the interesting name i performed "string -td" on the image into a txt file. After that i grepped the name of the unallocated directory and found 3 jpg's within it. My question now is how do i extract or view these jpg's?

 
Posted : 07/06/2018 12:40 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Which filesystem?

If it is a school exercise, most probably the single JPEG images are contiguous, so you need to find the start and end of each and then dd it to a new file

http//www.file-recovery.com/jpg-signature-format.htm

Autopsy/Sleuthkit have carving capabilities
https://wiki.sleuthkit.org/index.php?title=Carving

But of course there are tens of softwares capable of doing this kind of automated carving for a given filetype (in this case it is more "data recovery" than "digital forensics").

jaclaz

 
Posted : 07/06/2018 1:01 pm
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

Another free tool that works pretty well is called "photorec" (photo recovery). It also works well on non-image file types. https://www.cgsecurity.org/wiki/PhotoRec

 
Posted : 07/06/2018 1:59 pm
(@lukasrijn)
Posts: 2
New Member
Topic starter
 

Thanks for the help i will defenitly try it. i tried "icat" ,after i found the inode, into a jpg file but it turned out it wasn't a jpg but something else.

 
Posted : 07/06/2018 5:00 pm
(@etiennem)
Posts: 4
New Member
 

Search for the header and footer of an jpg file. Extract anything between.

Send me a PM. i am from Belgium
Regards,
Etienne

 
Posted : 13/06/2018 4:42 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Search for the header and footer of an jpg file. Extract anything between.

Really? ?

Guess what exactly is on the given reference?
http//www.file-recovery.com/jpg-signature-format.htm

jaclaz

 
Posted : 13/06/2018 4:48 pm
(@etiennem)
Posts: 4
New Member
 

Oeps - I didn't check the URL.
I use Garry Kessler website to extract all kinds of files in the dd image. The search can also be done in a hexviewer.
Searching for the footer or trailer is even not necessary; just select a large part and add the appropriate footer at the end of the file.
https://www.garykessler.net/library/file_sigs.html

 
Posted : 13/06/2018 5:40 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Oeps - I didn't check the URL.
I use Garry Kessler website to extract all kinds of files in the dd image. The search can also be done in a hexviewer.
Searching for the footer or trailer is even not necessary; just select a large part and add the appropriate footer at the end of the file.
https://www.garykessler.net/library/file_sigs.html

Yep, that is a very good source for this info ) .

Usually hex viewers/editors are usually slowish when searching, a tool that is suitable and works just fine/fast is gsar (in Windows)
http//tjaberg.com/
though unfortunately it has some limitations with the offsets, so it is a problem going through largish disk images becuase addresses "wrap" around.

jaclaz

 
Posted : 14/06/2018 8:39 am
Share: