Join Us!

How do i Extract a ...
 
Notifications
Clear all

How do i Extract a jpg from an unallocated directory  

  RSS
LukasRijn
(@lukasrijn)
New Member

I have a project for school, a phishing case we need to solve. We got a laptop from which we extracted an E01 image. After analysing the image in autopsy, i came across an unallocated directory. But because of the interesting name i performed "string -td" on the image into a txt file. After that i grepped the name of the unallocated directory and found 3 jpg's within it. My question now is how do i extract or view these jpg's?

Quote
Posted : 07/06/2018 1:40 pm
jaclaz
(@jaclaz)
Community Legend

Which filesystem?

If it is a school exercise, most probably the single JPEG images are contiguous, so you need to find the start and end of each and then dd it to a new file

http//www.file-recovery.com/jpg-signature-format.htm

Autopsy/Sleuthkit have carving capabilities
https://wiki.sleuthkit.org/index.php?title=Carving

But of course there are tens of softwares capable of doing this kind of automated carving for a given filetype (in this case it is more "data recovery" than "digital forensics").

jaclaz

ReplyQuote
Posted : 07/06/2018 2:01 pm
jpickens
(@jpickens)
Active Member

Another free tool that works pretty well is called "photorec" (photo recovery). It also works well on non-image file types. https://www.cgsecurity.org/wiki/PhotoRec

ReplyQuote
Posted : 07/06/2018 2:59 pm
LukasRijn
(@lukasrijn)
New Member

Thanks for the help i will defenitly try it. i tried "icat" ,after i found the inode, into a jpg file but it turned out it wasn't a jpg but something else.

ReplyQuote
Posted : 07/06/2018 6:00 pm
etiennem
(@etiennem)
New Member

Search for the header and footer of an jpg file. Extract anything between.

Send me a PM. i am from Belgium
Regards,
Etienne

ReplyQuote
Posted : 13/06/2018 5:42 pm
jaclaz
(@jaclaz)
Community Legend

Search for the header and footer of an jpg file. Extract anything between.

Really? ?

Guess what exactly is on the given reference?
http//www.file-recovery.com/jpg-signature-format.htm

jaclaz

ReplyQuote
Posted : 13/06/2018 5:48 pm
etiennem
(@etiennem)
New Member

Oeps - I didn't check the URL.
I use Garry Kessler website to extract all kinds of files in the dd image. The search can also be done in a hexviewer.
Searching for the footer or trailer is even not necessary; just select a large part and add the appropriate footer at the end of the file.
https://www.garykessler.net/library/file_sigs.html

ReplyQuote
Posted : 13/06/2018 6:40 pm
jaclaz
(@jaclaz)
Community Legend

Oeps - I didn't check the URL.
I use Garry Kessler website to extract all kinds of files in the dd image. The search can also be done in a hexviewer.
Searching for the footer or trailer is even not necessary; just select a large part and add the appropriate footer at the end of the file.
https://www.garykessler.net/library/file_sigs.html

Yep, that is a very good source for this info ) .

Usually hex viewers/editors are usually slowish when searching, a tool that is suitable and works just fine/fast is gsar (in Windows)
http//tjaberg.com/
though unfortunately it has some limitations with the offsets, so it is a problem going through largish disk images becuase addresses "wrap" around.

jaclaz

ReplyQuote
Posted : 14/06/2018 9:39 am
Share: