Recently, while examining an image with the contents of an external hard drive in an exploitation case, we ran into some difficulty viewing the data on the drive at a logical level. No matter the forensic tool we used, we were unable to mount the partitions in the image so that we could see the directory structure of the volume. After some analysis we discovered that the master boot record (MBR) was corrupt. Viewing the directory structure of a volume in a drive with a corrupt MBR is not impossible, but often it will not happen until the partition table is fixed. Fixing the partition table in the image or on a restored drive would mean changing the original evidence. We wanted to see the directory structure without changing any data, and we found a program that does just that. We wrote this article to talk about the tool that we used to accomplish this. We hope that someday it can help you too.
Although not as user-friendly as the commercial tools, the program Testdisk will allow you to accomplish the same tasks as the more expensive counterparts. We like this tool, because it can recover lost partitions and repair boot sectors from many different file systems normally found in Windows, Mac, and Linux. Testdisk is powerful and free. It comes preinstalled in Linux Live CD”s like Blackbuntu.
You can use a live CD bundled with Testdisk to accomplish this task, but for the purposes of this article I used an examination computer with Ubuntu 12.04 installed on it.
The plan is to recreate the steps that will lead to a disk becoming corrupt. We are going to write data to a volume, we will damage the disk’s partition table, and finally we will use Testdisk to recover the data from the corrupt disk, without fixing the disk.
Installing the tools:
All of the tools that we will use are either included in Ubuntu by default, or can be downloaded from the Ubuntu Software Center. The tools that we will need to recreate the test are shred, DD, hexedit, gparted, and tesdisk. Shred and DD are already in Ubuntu, so lets head over to the Ubuntu Software Center for the other tools.
Click on the Dash Home circle, located on the top left of your screen, type in “software” and click on the Ubuntu Software Center icon that will appear.
After the Ubuntu Software Center opens, you will see a search box on the top-right corner of your screen. Type “hexedit” and click on the install button. You will be prompted for your root password. Enter your root password and wait for the program to install.
Once hexedit is installed, search for gparted and testdisk. Install gparted and testdisk as well.
Now that you have the tools that we need, close the Ubuntu Software Center. The next step is to prepare a working folder for our files. Go to your desktop, right click on your desktop and select “create new folder”, name it “Test”. Copy any two small files into it. I chose two small txt files, one named TEST1.txt and the other TEST2.txt.
To recreate the test I will be using a 256MB Flash Drive. Pretty small huh… I have had it for over ten years and I paid $100 for it back then. When testing software, smaller drives take less time to wipe.
Since we are going to be adding data to this media and then examining it, we should sterilize it. Sterilizing a drive is the process of writing a known hex value to every sector of a piece of media so that it can overwrite any and all data that previously resided on that piece of media. For the purposes of this article, we will be using the program Shred. Shred is only run from the command line. Make sure your test media is inserted into the computer and open a Terminal Window. In Ubuntu you can accomplish this by pressing Ctrl-Alt-T at the same time or by going to the Dash Home and typing in “terminal”.
Once the terminal window is open, Type the following into the terminal to determine which letter Ubuntu assigned to the test media.
sudo fdisk -l
Fdisk is a partition table manipulator for Linux. The flag -l tells fdisk to list the partition table. Sudo gives fdisk superuser privileges for the operations. Press enter and type your root password (if needed).
Ubuntu assigned the media as SDB. SDB1 is the partition currently stored on the media. Do not pay much attention to it, we will be wiping shortly.
Now that we know the media’s drive assignment, type the following into the terminal to wipe/sterilize it.
sudo shred -v -n 0 -z /dev/sdb
Shred is the wiping program. The flag -v shows the progress, the flag -n overwrites with random data “n” amount of times instead of the default 3. I wrote a 0, because I didn’t want to overwrite the drive with random data. The -z flag adds a final overwrite with zeros to hide shredding. For the purposes of this test one overwrite with zeros is all that we need. Dev/sdb is the test media. Sudo gives Shred superuser privileges for the operations. Press enter and type your root password (if needed).
Our media has been successfully sterilized by writing zeros to the entire drive, from the first sector to the last. Now we need to format the media. Remove the media from the computer and insert it back into the computer. Type the following into the terminal window.
Gparted is a Gnome partition editor for manipulating disk partitions. A gui for Gparted will open up. Make sure that you select your media, it should be the /dev/sdb device. Format the media as fat32.
Now that the drive is formatted, copy the two files from the Test folder into the media.
After the file have been copied, delete one. I chose to delete TEST2.txt.
The test media is now ready. It is ready to be damaged. We will be damaging the drive by deleting the entire master boot record. The master boot is located in physical sector 0 of the drive. The MBR contains boot code, the master partition table and the signature (0x55AA). Without an MBR, partitioned media often becomes unrecognizable to the operating system. Type the following into the terminal window.
sudo hexedit -s /dev/sdb
Hexedit is a hexeditor for Linux. The flag -s tells hexedit to show one sector at a time. Sudo gives Hexedit superuser privileges for the operations. Press enter and type your root password (if needed). This is the MBR of the test media. Look at the bottom of the terminal window, notice that this is sector 0 of device sdb. Also notice that the sector ends with the signature 0x55AA.
Now, write 0’s to the entire sector. Press F2 to save the changes. After saving the changes press control and c at the same time to exit.
Now, navigate to the previously created Test folder on the desktop. We will use the CD command to change directory into the desktop. Type the following into the terminal.
Replace “carlos” with the name of the user account you are currently logged on as. After doing so, press enter. You should receive these results.
carlos@XPS-M1330:~$ cd /home/carlos/Desktop/Test/
Type the following itno the terminal.
sudo dd if=/dev/sdb of=test.dd
DD is a common Linux program whose primary purpose is the low level copying and conversion of raw data. The if= tells dd to read from file, and the of= tells dd to write to file. Sudo gives DD superuser privileges for the operations. Press enter and type your root password (if needed).
This action will copy all the sectors on the media into a file named test.dd into our current directory, which is the Test folder.
Now that we have an image of the test media. You can remove the media from the computer. Type the following into the terminal.
hexedit -s test.dd
We will again use hexedit this time to look at the first sector of the image of the media that we just created. Look at the bottom of the terminal window, notice that this is sector 0 of test.dd. Notice…. nothing but zeros. Great!!!
Type the following into the terminal.
sudo testdisk test.dd
We finally get to testdisk. Testdisk is a scan and repair disk partition tool for Windows, Mac and Linux. It is a terminal based tool that can be manipulated with the use of the up, down, left and right arrows and enter to proceed. Press Q at any time to go back or exit the program. Testdisk recognizes physical hard drives in the computer and well as usb storage devices. Or like in this case, you can point testdisk to your image file and it will recognize it as well. Click enter to proceed.
Testdisk is going to ask you to select the partition type. For Fat32 and NTFS formatted drives, select Intel/PC Partition. Press enter to proceed.
Select Analyse and press enter.
Notice that testdisk took a peak at sector 0 and discovered that our image does not contain a valid MBR. Select quick search and press enter.
I answered “yes” to this question
Testdisk amazingly found our lost partition. Look at the bottom of the screen, press P to list the files in the partition.
Testdisk sees the two files we added to the media prior to imaging it. Testdisk is even able to see the deleted file. From here follow the instructions at the bottom of the screen to copy out any of the files in your volume.
Testdisk was able to see the partition even without the existence of a valid partition table to point to the correct beginning of the volume. This is a powerful tool that can help you in your investigation like it did for me.
If this procedure worked for your case, and you are able to use it in the course of your investigation, we would like to hear from you. Please post your comments or email the author of this article at firstname.lastname@example.org