Home
Latest images
Search
Register
Log inUsing CAINE and Scalpel to restore .doc's from an image file
Page 1 of 1
Using CAINE and Scalpel to restore .doc's from an image file
joetekno Tue Mar 03, 2009 6:10 pm
1. Select "Start"... Caine... Caine Interface
2. Click the "Create Report" button
3. Select the "Analysis" tab
4. Click the “Scalpel” button
5. Click the “Open input file” button
6. Select your image file (example: file system.. evidence… sda-img.dd)
7. Click “Select directory” button
8. Create a directory to save your output to
a. Select… File system… evidence…
b. Click “Create folder” button, type “scalpeloutput”
c. Click “OK” button
9. Open a terminal window, maneuver to /evidence and see if the scalpeloutput directory exists. If it does not, redo step 8.
10. Click the “Edit file” button
a. Remove the pound/hash marks “#” in front of the “doc” entries
b. Click the “Save” button
c. Exit Gedit “File… Quit”
d. Click the “Run Scalpel” button
Using a Hex editor to find file headers/footers for file types not listed in the scalpel.conf
1. Download or create several files of the type you wish to search for.
a. Go to www.google.com
b. Search for “filetype:docx” to search for MS Word 2007 file types
c. Use “Right Click… Save File As…” feature on the links that are .docx
2. Open the files in a Hex editor
a. Linux terminal window
b. xxd <filename>.docx | less
3. Document the first 13-15 sets of hex entries
a. (example: 50 4B 03 04 14 00 06 00 08 00 00 00 21)
4. Depending on file type you may need to document the last 13-15 sets of hex entries
5. Using the information provided in the scalpel.conf modify your entries to find the new file type.
2. Click the "Create Report" button
3. Select the "Analysis" tab
4. Click the “Scalpel” button
5. Click the “Open input file” button
6. Select your image file (example: file system.. evidence… sda-img.dd)
7. Click “Select directory” button
8. Create a directory to save your output to
a. Select… File system… evidence…
b. Click “Create folder” button, type “scalpeloutput”
c. Click “OK” button
9. Open a terminal window, maneuver to /evidence and see if the scalpeloutput directory exists. If it does not, redo step 8.
10. Click the “Edit file” button
a. Remove the pound/hash marks “#” in front of the “doc” entries
b. Click the “Save” button
c. Exit Gedit “File… Quit”
d. Click the “Run Scalpel” button
Using a Hex editor to find file headers/footers for file types not listed in the scalpel.conf
1. Download or create several files of the type you wish to search for.
a. Go to www.google.com
b. Search for “filetype:docx” to search for MS Word 2007 file types
c. Use “Right Click… Save File As…” feature on the links that are .docx
2. Open the files in a Hex editor
a. Linux terminal window
b. xxd <filename>.docx | less
3. Document the first 13-15 sets of hex entries
a. (example: 50 4B 03 04 14 00 06 00 08 00 00 00 21)
4. Depending on file type you may need to document the last 13-15 sets of hex entries
5. Using the information provided in the scalpel.conf modify your entries to find the new file type.
joetekno- Number of posts : 50
Località : Wisconsin, United States
Registration date : 2009-02-19 -
Similar topics» CAINE 1.5 Installed to capture image file from CAINE 1.5 Live CD
» Using CAINE and AIR to image a suspect workstation
» What tool to restore a raw image to a physical disk
» CAINE v0.5 Installed to Hard Disk and Scalpel
» CAINE 1.5 Installed and Scalpel to carve files from the disk
» Using CAINE and AIR to image a suspect workstation
» What tool to restore a raw image to a physical disk
» CAINE v0.5 Installed to Hard Disk and Scalpel
» CAINE 1.5 Installed and Scalpel to carve files from the disk
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum