fetch data of an un...
 
Notifications
Clear all

fetch data of an unallocated space? (SleuthKit)

2 Posts
2 Users
0 Likes
2,013 Views
(@amigo)
Posts: 1
New Member
Topic starter
 

Hey guys,

for a university exercise I need to find a "hidden" picture inside an unallocated space from an usb image.
However whatever I tried, it doesn't work. I tried to extract the unallocated space first with dd and then wanted to list it with "fls". It doesn't work, with almost every command I get "Cannot determine file system type". So how can I get files inside an unallocated space with the SleuthKit? Thank you very much!

 
Posted : 05/01/2017 2:14 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

You are missing a logical step.

If there is anything in unallocated space, you cannot see it with anything that - like fls - uses the filesystem structures
http//www.sleuthkit.org/sleuthkit/man/fls.html

By definition unallocated is not allocated (or if you prefer not listed) by whatever filesystem indexing structure.

Also you seem to have been mistaken by the screenshot you posted.

When you are told to look into unallocated areas the "unallocated" may mean TWO different kinds of unallocated areas
1) the ones marked in your screenshot as "unallocated" (that actually are not "unallocated", but rather "unused" as they are outside the volumes extents
2) the ones within the volume(s) extents
You want to check besided the #1 (listed in your screenshot) also the #2.

So what you were tasked wiith is "data carving", which - in The Sleuthkit - is done first thing with Blkls
https://wiki.sleuthkit.org/index.php?title=FS_Analysis

BUT the target of blkls (just like that of fls) is a filesystem (or volume) not a "whole device" image.

I hope I have given you enough hints to make some progress.

jaclaz

 
Posted : 05/01/2017 3:02 pm
Share: