Forums
Main Category
General (Technical,...
How do i Extract a ...
 
Notifications
Clear all

How do i Extract a jpg from an unallocated directory

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by jaclaz 7 years ago
8 Posts
4 Users
0 Reactions
1,129 Views
RSS
 LukasRijn
(@lukasrijn)
New Member
Joined: 7 years ago
Posts: 2
Topic starter 07/06/2018 1:40 pm  

I have a project for school, a phishing case we need to solve. We got a laptop from which we extracted an E01 image. After analysing the image in autopsy, i came across an unallocated directory. But because of the interesting name i performed "string -td" on the image into a txt file. After that i grepped the name of the unallocated directory and found 3 jpg's within it. My question now is how do i extract or view these jpg's?


   
Quote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
07/06/2018 2:01 pm  

Which filesystem?

If it is a school exercise, most probably the single JPEG images are contiguous, so you need to find the start and end of each and then dd it to a new file

http//www.file-recovery.com/jpg-signature-format.htm

Autopsy/Sleuthkit have carving capabilities
https://wiki.sleuthkit.org/index.php?title=Carving

But of course there are tens of softwares capable of doing this kind of automated carving for a given filetype (in this case it is more "data recovery" than "digital forensics").

jaclaz


   
ReplyQuote
jpickens
 jpickens
(@jpickens)
Estimable Member
Joined: 18 years ago
Posts: 130
07/06/2018 2:59 pm  

Another free tool that works pretty well is called "photorec" (photo recovery). It also works well on non-image file types. https://www.cgsecurity.org/wiki/PhotoRec


   
ReplyQuote
 LukasRijn
(@lukasrijn)
New Member
Joined: 7 years ago
Posts: 2
Topic starter 07/06/2018 6:00 pm  

Thanks for the help i will defenitly try it. i tried "icat" ,after i found the inode, into a jpg file but it turned out it wasn't a jpg but something else.


   
ReplyQuote
 etiennem
(@etiennem)
New Member
Joined: 16 years ago
Posts: 4
13/06/2018 5:42 pm  

Search for the header and footer of an jpg file. Extract anything between.

Send me a PM. i am from Belgium
Regards,
Etienne


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
13/06/2018 5:48 pm  

Search for the header and footer of an jpg file. Extract anything between.

Really? ?

Guess what exactly is on the given reference?
http//www.file-recovery.com/jpg-signature-format.htm

jaclaz


   
ReplyQuote
 etiennem
(@etiennem)
New Member
Joined: 16 years ago
Posts: 4
13/06/2018 6:40 pm  

Oeps - I didn't check the URL.
I use Garry Kessler website to extract all kinds of files in the dd image. The search can also be done in a hexviewer.
Searching for the footer or trailer is even not necessary; just select a large part and add the appropriate footer at the end of the file.
https://www.garykessler.net/library/file_sigs.html


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
14/06/2018 9:39 am  

Oeps - I didn't check the URL.
I use Garry Kessler website to extract all kinds of files in the dd image. The search can also be done in a hexviewer.
Searching for the footer or trailer is even not necessary; just select a large part and add the appropriate footer at the end of the file.
https://www.garykessler.net/library/file_sigs.html

Yep, that is a very good source for this info ) .

Usually hex viewers/editors are usually slowish when searching, a tool that is suitable and works just fine/fast is gsar (in Windows)
http//tjaberg.com/
though unfortunately it has some limitations with the offsets, so it is a problem going through largish disk images becuase addresses "wrap" around.

jaclaz


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: