Marsの5εcur1ty備忘録

不定期的にCTF、脆弱性検証、バグバウンティレポート分析など、情報セキュリティを中心とした技術ブログを更新します。

Oops! Your important files are removed by yourself! -> Here is the solution ( File Recovery in linux)

Forensics

Situation( It is a fiction ):
Today's topic is,
'Oops, Your Important Files Are Encrypted!'

f:id:z773733850:20190522201806p:plain

Ransomeware?
No!
As ransomeware is dangerous, we can use some anti-virus software to protect files, but sometimes we can remove important files by mistake.
Nobody can save us rather than ourself.

One day, I use rm command to remove some useless files.

f:id:z773733850:20190522173429p:plain

f:id:z773733850:20190522173522p:plain

Oops! I removed a file which doesn't look like a trash file by mistake.

I remember that many important things is recorded in this file, so how can I recover it?

Well, calm down and try the following steps.

*1. Check the partition.
f:id:z773733850:20190522180557p:plain

I'm using sda1 partition now.

*2. Check the file system of your OS.

> df -T

f:id:z773733850:20190522174715p:plain

The file system of sda1 is ext4.
If your file system is ext3 or ext4, you can go to step 2. If not, ... I recommend searching the method to recover the file on the file system XXX ...:>

*3. Check the time that you removed the file.

> export HISTTIMEFORMAT="%F %T "
> history

f:id:z773733850:20190522174944p:plain f:id:z773733850:20190522175114p:plain

We get a super long command history list ( unless almost you do not use this linux machine ) and we can see that the time I removed is "2019-05-22 04:35:05".

*4. Convert the date&time to unix timestamp.

> date +%s --date "[your date&time](<- do not copy it)"

f:id:z773733850:20190522181115p:plain

! Important: If you removed a file which is located in root partition, you should follow step 5. If not, just skip step 5 and go to step 6.

*5. Boot a linux live CD or prepare a USB flash drive.

Linux Guide: How To Easily Create A Bootable Live USB Using Ubuntu

Boot it.

*6. Download extundelete. If extundelete tool does not exist in your OS, you should first download and enable it.
Check the update information.

> wget "http://downloads.sourceforge.net/project/extundelete/extundelete/0.2.0/extundelete-0.2.0.tar.bz2?r=http%3A%2F%2Fsourceforge.net%2Fprojects%2Fextundelete%2F&ts=1318824482&use_mirror=nchc"
> tar jxvf extundelete-0.2.0.tar.bz2
> cd extundelete-0.2.0
> ./configure
> make

*7. Recover.
* Note: extundelete only can be executed by root user.
* Remount /dev/sda1 ( replace it to your current dev ) as Read-Only.

> sudo mount -o remount,ro /dev/sda1

(Using timestamp for recovery)

> extundelete --after 1558514105 --before 1558513000 --restore-all /dev/sda1

or

(Assigning the file for recovery)

> extundelete --restore-file /tmp/testfile /dev/sda1

Then, a directory named 'RECOVERED_FILES' is created in the current directory.

If you succeed, you can see some files recovered.

Copyright Mars 2019