±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35520
New Yesterday: 1 Visitors: 102

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Free software that copies a block into a new file?

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

loonaluna
Member
 

Free software that copies a block into a new file?

Post Posted: Feb 27, 18 18:46

Hi sorry for the noob question, I may not be understanding how this works at all. But I found a continuous amount of free space in winhex that I suspect is the truecrypt container I'm looking for. I'm probably wrong, but I'll give it a try. Anyway, so Winhex says ''cannot allocate 74gb of continuous RAM, and the edit/copy block/into new file says with the evaluation version I can't save files larger than 200kb. I tried a free hexeditor out there called HxD and it doesn't have this option at all. Is there a free software out there that does this? Of course I hope to just copy the file into another hard drive, use the password I remember and it'll open...  
 
  

jaclaz
Senior Member
 

Re: Free software that copies a block into a new file?

Post Posted: Feb 27, 18 19:52

You want to use dd (Linux) or one of its ports to extract the data to a new file.

UNder Windows use (I personally prefer it over various dd ports) dsfo, part of the dsfok toolkit:
members.ozemail.com.au...index.html

If you want a GUI tool under Windows, meet Datarescuedd:
www.datarescue.com/pho...3/drdd.htm

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

loonaluna
Member
 

Re: Free software that copies a block into a new file?

Post Posted: Mar 01, 18 09:27

- jaclaz
You want to use dd (Linux) or one of its ports to extract the data to a new file.

UNder Windows use (I personally prefer it over various dd ports) dsfo, part of the dsfok toolkit:
members.ozemail.com.au...index.html


I'm not sure I understand. I copied the first 512 bytes of data from the free space I saw in winhex, pasted it into a file, saved it. Then applied this dsfo tool to it, and it made a new file with chinese characters in it. What's dsfo doing, am I doing something wrong, and where can I test my password on these 512 bytes of data?

- jaclaz


If you want a GUI tool under Windows, meet Datarescuedd:
www.datarescue.com/pho...3/drdd.htm

jaclaz


I believe by this you mean make a backup of the volume the deleted truecrypt container is sitting in. I already did that with other software, I'm working on a mirrored backup. Unless you mean it can select the free space that winhex is capable of seeing, and backup that. In that case this tool would be of use to me right now, but I don't see it?  
 
  

jaclaz
Senior Member
 

Re: Free software that copies a block into a new file?

Post Posted: Mar 01, 18 12:41

- loonaluna

I'm not sure I understand. I copied the first 512 bytes of data from the free space I saw in winhex, pasted it into a file, saved it. Then applied this dsfo tool to it, and it made a new file with chinese characters in it. What's dsfo doing, am I doing something wrong, and where can I test my password on these 512 bytes of data?


Well, it seems like you are missing some basics Question .

Without knowing HOW EXACTLY you used dsfo, it is hard to say, however it won't produce "Chinese characters", you asked about how to extract a block, and that is what dsfo can do, but you seemingly used Winhex for the extraction and then used dsfo (for doing what) on the already extracted/created new file.

Anything that is saved on a hard disk (or similar storage media) or on an image can be defined as an "extent" (or "block" as you called it).

An "extent" is defined by a start address and a length (usually measured either in bytes or in sectors).

If you open the *whatever* you are working on, the first sector you find of interest in Winhex will have an address, as an offset (as said either in bytes or in sectors, usually 512 bytes each).

So, if you are working on a file, let's say for the sake of the example you are working on file C:\mynicefile.img you open it in Winhex, you will start at offset 0.
If you want to extract from it first 512 bytes, you select in Winhex first 512 bytes, copy and paste to a new file, let's say C:\1st_sector_WH.bin.
Or you use dsfo as follows:
dsfo C:\mynicefile.img 0 512 C:\1st_sector_dsfo.bin

If you open (in Winhex) both files C:\1st_sector_WH.bin and C:\1st_sector_dsfo.bin, and compare them you will find that they are identical.

If you want to get an extent starting from second sector of length one sector, you can do the same with Winhex, with dsfo that would be:
dsfo C:\mynicefile.img 512 512 C:\2nd_sector_dsfo.bin

If you want to get the "extent" starting from third sector of length 10,000 sectors, with dsfo
dsfo C:\mynicefile.img 1024 5120000 C:\3_10000_dsfo.bin

DatarescueDD can do the same, only, since it is born to recove extents from disk, it acceppts only a disk or drive as source (that can be your image mounted) and not a file (while dsfo/dsfi accept files, physicaldrives and logical volumes).

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 
 
  

loonaluna
Member
 

Re: Free software that copies a block into a new file?

Post Posted: Mar 02, 18 19:56

Thanks for pointing all that out so patiently jaclaz. Indeed I am new to this and didn't know what I was doing yesterday. Smile  
 

Page 1 of 1