Join Sandra Toner for an in-depth discussion in this video Recovering a deleted file in Linux, part of Computer Security: Investigation and Response.
- View Offline
- In this video, we'll talk about recovering deleted files in Linux. Deleted or lost files can sometimes be recovered from failed or formatted drives and partitions, CD-ROMs and memory cards. Using the free software available in the Ubuntu repositories. The data's still recoverable because the information isn't immediately removed from the disk. In an earlier video, we talked about the SRM command adding more security to the RM command.
Now remember, the RM command doesn't move the file into a trash directory, it deletes it completely. So, it's harder to get it back. Now let's go into Linux. I'm going to show you a way to get rid of files without permanently deleting them. To do this, we're going to install a package called the trash-cli package. We'll do this from the terminal. To open up a terminal, click on Ctrl+Alt+T. I'll start off by typing in the sudo command, because I'm going to need administrative privileges to install this package.
Next, I type in apt-get. Now I'll enter the install command, followed by the package name. The package name in this case is "trash-cli". Now I hit Enter. And because I used sudo, I need to type in my administrative password. Now that I've set that up, I'm going to create an alias for the RM command. To do this, I'll type in alias, rm, the equal sign, and trash.
The trash-cli package is a command line interface to the same trash that you'll see in your Gnome or KDE GUI. So, anything that you delete in the GUI you'll be able to access from the command button. And anything that you delete from the command line, you'll also be able to access from your GUI. Let's test this out. I'm going to create a document in the GUI and place it in the trash. Now I'll save the document to my desktop.
I'll give it a recognizable name. Now, I'm going to trash the document. Now that I've done that, I'm going to return to the terminal and see if I can list what's in the trash. You can see the only document that came up in my trash list is the document that I just created and put in the trash. Now that you've set this up, this is a great way for you to be able to work with your trash either through the terminal or the GUI, and not be permanently deleting your files.
Data carving is a forensics technique used to identify and extract file types from unallocated clusters using file signatures. The file signature is a constant numerical or text value used to identify a file format. Data carving can be used to recover data from a hard disk where the metadata may be missing or damaged. Let me tell you about a tool that supports data carving. The Foremost utility is a console program used to recover files based on their header/footer and internal data structures.
Foremost can work on most files generated by standard forensic tool suites, or you can apply it directly to a drive. The headers and footers can be specified in a configuration file, or you can use command line switches to specify built-in file types. The ones that are built in look at the data structures of a given file format, allowing for a more reliable and faster recovery. Much like the package we just installed in our Linux environment, you can install Foremost using the command "sudo apt-get install foremost".
I've used Foremost to recover damaged hard disk information with both the NTFS file system and the FAT-32 file system in a Nokia phone. Linux is great for forensics because it has a lot of built-in tools that support investigation. I recommend spending some time becoming familiar with these tools in addition to the Linux logs and directories, so you can perform your investigations on Linux more efficiently. In the next chapter, I'll describe some tool suites and resources that you can add to your forensics lab.
This course covers the basics of computer forensics and cyber crime investigation. Author Sandra Toner provides an overview of forensic science, and discusses best practices in the field and the frameworks professionals use to conduct investigations. Then, after showing how to set up a simple lab, Sandra describes how to respond to a cyber incident without disturbing the crime scene. She dives deep into evidence collection and recovery, explaining the differences between collecting evidence from Windows, Mac, and Linux machines. The course wraps up with a look at some of the more commonly used computer forensics software tools.
- Applying science to digital investigations
- Understanding forensic frameworks
- Defining cyber crime: harassment, hacking, and identity theft
- Setting up a forensic lab
- Responding to cyber incidents
- Collecting and recovering evidence
- Examining networks for evidence
- Applying forensics to Windows, Mac, and Linux
- Working with forensics tools