In this case, I will try to analyze the file able2.dd
The first step we have to do is check, how many partitions in the file able2.dd.
Do it with the command
root @ bt :/ # mmls media/Document/DOJO/Day11 able2.dd
in the image above, we already know the value of the offset of each partition. In this case, I would use a partition 2 (offset:10260). Next do the following
root@bt:/media/Document/DOJO/Day11#
blkls -o 10260 able2.dd > able2.blkls
root@bt:/media/Document/DOJO/Day11#
ls -lh
In the above command, we use blkls on the second partition (-o 10260) in the picture able2.dd, and redirect the output to a file able2.blkls.
Next we look at the word "Cybernetik" able2.blkls file with the following command
root @ bt :/ # grep-abi media/Document/DOJO/Day11 Cybernetik able2.blkls
The grep command can be used to find out the string "Cybernetik" is offset whatever. From the information above, Cybernetik string in four different offsets in a space that is not extracted. In this case, we will focus on the first offset.
The next stage is to find a block of data that runs on the original file (able2.dd).
Perform the following command
root @ bt :/ # fsstat media/Document/DOJO/Day11-o 10 260 able2.dd
In the image above, we get information on partition 2 block size is 1024.
Next we calculate the offset Cybernetik divided by the size of the original file block (able2.dd) to know how many strings Cybernetik are on the block in the file able2.blkls . Following command
root @ bt :/ media/Document/DOJO/Day11 # echo "1631299/1024" | bc
In the picture above, it looks String Cybernetics in Block 1593
Then do blkcalc command on the file system at offset
10260 (o- 10260) in able2.dd, passing blocks of data we calculated
of able2.blkls (U-1593). The result is a familiar block 5184
Type the following command:
root @ bt :/ # blkcalc media/Document/DOJO/Day11-o-u 10 260 1593 able2.dd
Data in block # 3 of blkls file will map to block # 49 in the native file system
Next do the command
root @ bt :/ # blkstat media/Document/DOJO/Day11 able2.dd-o 10 260 5184
We look at the
blkstat (data block statistics) output for block 5184 inthe original
image, we see that it is, in fact unallocated, which makes sense, since we found it
within our extracted unallocated space (we're back to the same results as in
Exercise #2). Note that we are now running the commands on the original dd
image. We'll continue on for the sake of completeness.
To Know Raw Content of data Block.Type the command
root@bt:/media/Document/DOJO/Day11#
blkcat -o 10260 able2.dd 5184 | xxd | less
Then, We try to extrack a file with a name ekstrak5184.blkcat. Type the command
root@bt:/media/Document/DOJO/Day11#
blkcat -o 10260 able2.dd 5184 > ekstrak5184.blkcat
root@bt:/media/Document/DOJO/Day11#
ls -lh
Note the size of the output files generated blkcat (5184.blkcat) is
1.0k (1024 bytes - file system block size), as expected.
Now, we try to recover the original file by identifying the data block. Type the ifind command.
root @ bt :/ # ifind media/Document/DOJO/Day11-o-d 10 260 5184 able2.dd
Then use the iStat to see the meta data for 10090 inode
in the image above, the meta data for inode 10090, indicates that the file inode is not allocated, and direct the first block is 5184. Just as we expected.
We then use icat to recover the files. In this case, we have only the first pipe line out to see our string of interest, "Cybernetik"
root @ bt :/ # icat media/Document/DOJO/Day11 able2.dd-o 10 260 10 090 | head-n 10
Tidak ada komentar:
Posting Komentar