Kamis, 14 Februari 2013

Carving with DD


Next example, we will use dd to carve a JPEG image from a chunk of RAW data. By itself, this is not a real useful exercise. There are lots of tools out there that will “carve” files from forensic images, including a simple cut and paste from a hex editor. However, the purpose of this exercise is to help
you become more familiar with dd. In addition, you will get a chance to use a number of other tools in preparation for the “carving”. This will help amiliarize you further with the Linux toolbox.

Have a brief look at the file image_carve.raw with your wonderful command line hexdump tool, xxd:
# xxd image_carve.raw | less

it’s really just a file full of random characters. Somewhere inside there is a standard JPEG image. Let’s go through the steps we need to take to “recover” the picture file using dd and other Linux tools. We are going to stick with command line tools available in most default installations.
First we need a plan. How would we go about recovering the file? What are the things we need to know to get the image (picture) out, and only the image? Imagine dd as a pair of scissors. We need to know where to put the scissors to start cutting, and we need to know where to stop cutting. Finding
the start of the JPEG and the end of the JPEG can tell us this. Once we know where we will start and stop, we can calculate the size of the JPEG. We can then tell dd where to start cutting, and how much to cut. The output file will be our JPEG image. Easy, right? So here’s our plan, and the tools we’ll use:
1) Find the start of the JPEG (xxd and grep)
2) Find the end of the JPEG (xxd and grep)
3) Calculate the size of the JPEG (in bytes using bc)
4) Cut from the start to the end and output to a file (using dd)

This exercise starts with the assumption that we are familiar with standard file headers. Since we will be searching for a standard JPEG image within the data chunk, we will start with the stipulation that the JPEG header begins with hex ffd8 with a six-byte offset to the string “JFIF”. The end of the
standard JPEG is marked by hex ffd9.
Let’s go ahead with step 1: Using xxd, we pipe the output of our image_carve.raw file to grep and look for the start of the JPEG9:
# xxd image_carve.raw | grep ffd8

As the output shows, using grep we’ve found the pattern “ffd8” near thestring “JFIF”. The start of a standard JPEG file header has been found. The offset (in hex) for the beginning of this line of xxd output is 00052a0. Now we can calculate the byte offset in decimal. For this we will use the bc command. Bc is a command line “calculator”, useful for conversions and calculations. It can be used either interactively or take piped input. In this case we will echo the hex offset to bc, first telling it that the value is in base 16. bc will return the decimal value. Let's type a command
# echo "ibase=16;00052A0" | bc
21152

It’s important that you use uppercase letters in the hex value. Note that this is NOT the start of the JPEG, just the start of the line in xxd’s output. The “ffd8” string is actually located another 4 bytes farther into that line of output. So we add 4 to the start of the line. Our offset is now 21156. We have found and calculated the start of the JPEG image in our data chunk. Now it’s time to find the end of the file. Since we already know where the JPEG starts, we will start our search for the end of the file from that point. Again using xxd and grep we search for the string. Type a command
# xxd -s 21556 image_carve.raw | grep ffd9

The –s 21156 specifies where to start searching (since we know this is the front of the JPEG, there’s no reason to search before it and we eliminate false hits from that region). The output shows the first “ffd9” at hex offset 0006c74. Let’s convert that to decimal:
# echo "ibase=16;0006C74" | bc
27764

Because that is the offset for the start of the line, we need to add 2 to the value to include the ffd9 (giving us 27766). Now that we know the start and the end of the file, we can calculate the size:
# echo "27766 - 21156" | bc
6610

We now know the file is 6610 bytes in size, and it starts at byte offset 21156. The carving is the easy part! We will use dd with three options:
skip: how far into the data chuck we begin “cutting”.
bs: (block size) the number of bytes we include as a “block”.
count: the number of blocks we will be “cutting”.

The input file for the dd command is image_carve.raw. Obviously, the value of skip will be the offset to the start of the JPEG. The easiest way to handle the block size is to specify it as bs=1 (meaning one byte) and then setting count to the size of the file. The name of the output file is arbitrary.
Let's type a command
# dd if=image_carve.raw of=result.jpg skip=21156 bs=1 count=6610

You should now have a file in your current directory called result.jpg. Now, Look "result.jpg" on our Directory
#ls

Successfully ..
Good Luck for your try Harder !!!









2 komentar: