Wednesday, July 25, 2012

Device Forensics (Recover lost data and pics) Recoverjpeg in backtrack5r2




in this easy to do tut i will explain how to recover deleted jpeg files off of a sd card from my phone.. it it a very simple task that you can complete by following the easy steps below




recover jpeg's from device's that have been erased


to start you will need to open backtrack>Forensics>carvingtools>recoverjpeg

next you will need to make a dirrecty to where the files will be saved. for this you will type in the konsole that ou just opend and type mkdir /root/Desktop/nameyourfile and hit enter..
now you see the file folder saved on the desktop that you just made

now on your konsole type in cd Desktop (this will put you on the desktop.

now type cd nameyourfile and hit enter you will be saving the files when recover is ran to the location of the file folder we just made

now type recoverjpeg (but DO NOT hit enter yet)

keep that konsole open and open a new one and type in fdisk -l and hit enter

that will show you the devices/drives on the computer

you will something like this

Device Boot Start End Blocks Id System
/dev/sda1 * 13 19177 153928800 7 HPFS/NTFS
/dev/sda2 19177 30402 90165249 5 Extended
/dev/sda5 19177 29939 86451200 83 Linux
/dev/sda6 29940 30402 3713024 82 Linux swap / Solaris
root@bt:~#

this above ^ is without the phone plugged in.. plug in your device and make sure you can see it hooked up on you machiene and type in the fdisk -l command and you will now see that device in th list like below

Device Boot Start End Blocks Id System
/dev/sda1 * 13 19177 153928800 7 HPFS/NTFS
/dev/sda2 19177 30402 90165249 5 Extended
/dev/sda5 19177 29939 86451200 83 Linux
/dev/sda6 29940 30402 3713024 82 Linux swap / Solaris

Disk /dev/sdb: 1977 MB, 1977614336 bytes
256 heads, 63 sectors/track, 239 cylinders
Units = cylinders of 16128 * 512 = 8257536 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000

Device Boot Start End Blocks Id System
/dev/sdb1 * 1 240 1930240 c W95 FAT32 (LBA)
Partition 1 has different physical/logical beginnings (non-Linux?):
phys=(1023, 255, 63) logical=(0, 32, 33)
Partition 1 has different physical/logical endings:
phys=(1023, 255, 63) logical=(239, 125, 61)
root@bt:~#

now you see the /dev/sdb1 above^ that is my device i will be recovering!

now go to the konsole that i told you not to close and paste in the /dev/sdb1 after the recoverjpeg it will look like so recoverjpeg /dev/sdb1 and hit enter and you should now be able to get all the jpeg files that were deleted off that device.

I hope this helps you guys to recover your deleted sd cards/phone or whatever it is you my be trying to do.. HAPPY HACKING!

0 comments: