Data Carving With dd

In this next example, we will use dd to carve a JPEG image from a chunk of raw data. By itself, this is not a real useful exercise. There are lots of tools out there that will “carve” files from forensic images, including a simple cut and paste from a hex editor. However, the purpose of this exercise is to help you become more familiar with dd. In addition, you will get a chance to use a number of other tools in preparation for the “carving”. This will help familiarize you further with linux toolbox. After you download

write command

root@bt:/media/Eddy/materi is2c/Day11# xxd image_carve.raw | less

looks like the following

it's really just a file full of random characters. Somewhere inside there is a standard JPEG image. Let's go through the steps we need to take to “recover” the picture file using dd and other Linux tools. We are going to stick with command line tools available in most default installations.

First we need a plan. How would we go about recovering the file? What are things we need to know to get the image (picture) out, and only the image? Imagine dd as a pair of scissors. We need to know where to put the scissors to start cutting, and we need to know where to stop cutting. Finding the start of the JPEG and the end of the JPEG can tell us this. Once we know where we will start and stop, we can calculate the size of the JPEG. We can then tell dd where to start cutting, and how much to cut. The output file will be our JPEG image. Easy, right? So here’s our plan, and the tools we’ll use:

1) Find the start of the JPEG (xxd and grep)

2) Find the end of the JPEG (xxd and grep)

3) Calculate the size of the JPEG (in bytes using bc)

4) Cut from the start to the end and output to a file (using dd)

This exercise starts with the assumption that we are familiar with standard file headers. Since we will be searching for a standard JPEG image within the data chunk, we will start with the stipulation that the JPEG header begins with hex ffd8 with a six-byte offset to the string “JFIF”. The end of the standard JPEG is marked by hex ffd9.Let’s go ahead with step 1: Using xxd, we pipe the output of our image_carve.raw file to grep and look for the start of the JPEG9 :

As the output shows, using grep we’ve found the pattern “ffd8” near the string “JFIF”. The start of a standard JPEG file header has been found. The offset (in hex) for the beginning of this line of xxd output is 00052a0. Now we can calculate the byte offset in decimal. For this we will use the bc command. bc is a command line “calculator”, useful for conversions and calculations. It can be used either interactively or take piped input. In this case we will echo the hex offset to bc, first telling it that the value is in base 16. bc will return the decimal value.

It’s important that you use uppercase letters in the hex value. Note that this is NOT the start of the JPEG, just the start of the line in xxd’s output. The “ffd8” string is actually located another 4 bytes farther into that line of output. So we add 4 to the start of the line. Our offset is now 21156. We have found and calculated the start of the JPEG image in our data chunk.

Now it’s time to find the end of the file. Since we already know where the JPEG starts, we will start our search for the end of the file from that point. Again using xxd and grep we search for the

string:

The –s 21156 specifies where to start searching (since we know this is the front of the JPEG, there’s no reason to search before it and we eliminate false hits from that region). The output shows the first “ffd9” at hex offset 0006c74. Let’s convert that to decimal:

We need to add 6 to the value to include the ffd9 (giving us 27766). Now that we know the start and the end of the file, we can calculate the size:

We now know the file is 6610 bytes in size, and it starts at byte offset 21156. The carving is the easy part! We will use dd with three options:

skip= how far into the data chuck we begin “cutting”.

bs= (block size) the number of bytes we include as a “block”.

count = the number of blocks we will be “cutting”.

The input file for the dd command is image_carve.raw. Obviously, the value of skip will be the offset to the start of the JPEG. The easiest way to handle the block size is to specify it as bs=1 (meaning one byte) and then setting count to the size of the file. The name of the output file is arbitrary.

You should now have a file in your current directory called eddys.jpg. Enough klik ls.

Ok, good try, & good luck