I recently lost some email in Thunderbird Inbox and would like to scan unused clusters in NTFS (WinXP) looking for email Message Headers to see if I can find any of the lost messages. Some kind of forensic scanning tool, or perhaps write my own simple tool if I can figure out how to access the NTFS at a low enough level, find what clusters are unused and scan each one. Any suggestions?
What happened is that the laptop crashed, and next start up it did a scan disk. I didn't notice the problem right away, but next time I opened Thunderbird it created a new blank Inbox. It wasn't just a problem with the inbox index, I checked the inbox file size and it was a few hundred K instead of over a GIG. I think the scan disk must have deleted the original inbox, or somehow truncated it. Standard undelete programs don't find a deleted Inbox file, so I'm guessing that the File's directory entry must have been reused.
I'm sure the email data is still on the disk in the unused clusters. I stopped using the disk, cloned the system to a new disk and set the original aside. I have managed to recover most of the Inbox from a somewhat dated backup (my bad) and import a few chunks from another client that I had checked email with a few times, so it's not the end of the world.
I have been using FTK 1.81 in my Digital Forensics class to do exactly what you are attempting. The FTK download is available free for up to 5000 files. FTK Imager is a free imaging tool to create the image file that you can process in FTK 1.81.
I am very new to this field, but this has worked flawlessly in my classroom labs.
jgalvan
I would say for starters to download FTK imager (free) and create a forensic image (you won't need a write blocker if its just your personal stuff). i believe thunderbird file extensions are .msf. look for any .msf files and right click them and save to a location.
next step is to download FTK demo version. this will provide full functionality up to 5000 files. open the saved files using FTK demo and look through them. you should be able to read them using this.
another method that might work is to take your saved files and import them into your current thunderbird client. that might let you read them as though they have been there the whole time.
try that out.
You wont need a write blocker since it's your personal stuff?
So he wants to potentially write over things he's trying to recover?
Thanks for the quick replies, I'll check FTK out, but I'm a bit confused by your reference to files, as in it will process 5000 files, or looking for and saving .msf files. (Actually Thunderbird saves the messages in a file without an extension, and an index to the messages in the .msf file.)
The Inbox file wss overwritten with a shorter file, so the Inbox file exists, it's just missing over a Gig of data. I've used OnTrack's Easy Recovery Professional to look for deleted files, but there are no deleted Inbox files so there doesn't seem to be an existing "deleted" entry in the MFT for the old Inbox file. I don't think I'll be able to look for it as a file per say.
Will FTK allow me to search unallocated space (or clusters or sectors) for email message headers?
Thanks for your help.
Yes, FTK will let you process the entire drive and then search the unallocated clusters for bits of data that you remember from some of those emails.
Problem it sounded like this was on a complete system drive, the demo/free version of FTK (use the 1.8x version, not v2 or v3) will only process up to the first 5000 files (unallocated data is broken into 26mb chunks and each chunk counts as a file. So likely the free version would not index your entire drive.
Do you understand Linux? Can you run VMWare Player? If so, download the SANS SIFT VM workstation at
https://
This is a Linux workstation VM purpose built for forensics. Run the VM and connect your original drive as a secondary drive to the VMWare host computer (if your host is Linux, dont mount the drive, if your host is Windows, then make sure you do not assign a drive letter).
Then edit the SAN SIFT VM config to add the additional hard drive as a second drive to the VM. Make sure you add it as a Physical disk.
Now boot the SIFT VM.
now you can use the various forensic tools on the SIFT VM to carve out data from the drive.
SIFT has Autopsy/Sleuthkit installed. It has a web broswer front end or you can run tools from the cmd line.
Tools to use are
dcfldd (or dd) to create an image file. This would be best, but the tools should work on the devices also, such as /dev/sdb
blkls you can extract all the unallocated space to an image file with this command blkls /dev/sdb1 > myunallocatedspace.img
or blkls /mnt/myoldemail.img > myunallocatedspace.img
from there you could
carve out files with foremost
foremost -c configfilename -o output_dir myoldemail.img
the foremost.conf file is at /usr/local/etc/foremost.conf
make a copy and delete out the types of files that you dont want to carve.
-search through unallocated for your know strings of data with
srch_strings -a -t d myoldemail.img > stringsfile.txt
cat stringsfile.txt | grep "your string"
or gedit stringsfile.txt and use the graphical find from the editor.
That should give you a start.
Also give the Autopsy browser interface a try. It's the icon of the paper with a magnifying glass on it, 3rd from the right top of the screen in SIFT.
Good luck.
Mark
It would appear that your original Thunderbird files has been truncated by being overwritten with a shorter one. If the same MFT entry has been used, then all allocation data has been lost. It is very likely that a 3GB file will be fragmented, particulally as e-mail files grow over a period of time.
I do not know much about Thunderbird files, but many e-mail systems compress the data. This will make the suggestion to search for known strings very difficult.
If the data is not compresssed, the I would suggest that the only way to find fragments will be with search strings. The text of e-mails may be recovered, but it will not be possible to recover a working inbox.
I was trying to recover this data I would work on the premise that the start of the file has been overwritten, and that the file has been fragmented. Try and discover from other Thunderbird files if the data is compressed
Again, Thanks for the quick replies!
Yes you are correct in that it was the system drive, a 500 GB physical disk with 300 for WinXP and the rest for Ubuntu 9.10. (I was just playing with Ubuntu and frankly never really got it all working correctly on my laptop due to multiple screens and WiFi issues …) There's about 170 GB free on the windows partition so that would be a bit more than 5000 files of 26Mb chunks of free space, not to mention all the actual files which I'm assuming it would image first.
I have a passing familiarity with Linux, and have a couple Linux and FreeBSD servers that I play with, not a linux guru, but I've gotten them to the point that they do what they're supposed to do and I generally don't have to mess with them much. I've even played a bit with VMWare, not enough so that I know how to edit a virtual machine's config to see another physical disk, but that will probably force me to learn more about it since I now have a project that requires it.
I'll review those tools, and if the VM stuff adds too much complexity, I'm guessing that I could probably use apt-get and install them directly into the Ubuntu that I'm "playing" with and connect the other drive externally with a USB adaptor. That would slow down access, but hopefully the USB adaptor would still allow access at a low enough level to examine the unallocated space on the drive.
I'm not that worried about creating an image file, since it would be quite large, and I might need yet another drive just to hold it, and I don't expect to be writing any new files to that drive until I'm done recovering the messages (then I'll probably wipe and repurpose the drive anyway).
Regarding the files themselves, Thunderbird keeps the messages in plain text in something like "mbox" format, which means that you can read them with a simple text editor. Each message starts with a fairly standard set of headers with easily searched strings beginning with a "From - <nonsense date string>" line followed a few lines later by a valid "Date <valid date string>" line. If I get to the point that I can find clusters with email message headers it shouldn't be too difficult to determine if they are in the date range of missing messages and simply copy blocks of text to a new file. That file when copied to the right directory will then auto-magically show up as a mailbox when Thunderbird is opened and the messages can be copied out back into the mailbox where they belong!
Thanks again for the guidance. Cla.
OK,
your idea with the Ubuntu may work. The VM stuff is not really that complicated.
Installing Autopsy in Ubuntu sounds like it might work, give it a go. Use the commands I listed above.
The only real difficult issue you are going to have is attachments to the emails; they will be encoded likely using uuencode. You would have to fin dthe start and ending and copy the data into a new file. Then either get a decoder, or a trick that works sometimes is to change the extension on the new file to .UUE then open it with WinZIP.
Good luck and let us know here how it went.
Actually the attachments aren't as bad as might seem. They are embedded right in the messages which are encoded in MIME, allowing all the message to be sent as 7 bit ASCII, so all I have to do is copy blocks of text starting at the beginning "From - <nonsense date string>" line upto the next "From - <nonsense date string>". If there is an attachment in the message it just shows up as a block of nonsense ascii characters embedded in that block between the "From" lines. So once that block of text is copied to a file in the Thunderbird mail directory, when it is opened by Thunderbird the message and attachment will auto-magically show up as expected.
Again thanks for the help. I'll let you all know what success I have… (or ask for more help if I hit a wall <grin>).
Cla.