Simulating File Recovery and Incident Responses Scenario

Anti-forensic is act how to prevent information being access or recovered, that suppose to escape from the investigator or it can be use for data protection in legitimates way. This post will explain with narative howto combined to make the reader more easier to understand, hope so works as i want.

Zuhri

April 11, 2025 | 12 min reads

Introduction #

Anti-Forensics is act how to prevent information being access or recovered, that suppose to escape from the investigator or it can be used for data protection in legitimates way.

Of course it seems like ilegal, but like knife! knife are sharp, sharp can use for cut or stabbing something, something can be refers anything, anything can be refers to human, but human shouldn’t make each other are in danger. The idea of this post is, the society are should know what the data is! it not simple like you remove or delete something from the drive then they are gone.

This post will start with, how the data can be recover by just “deleting” them. That mean if you dont have access to the drive or you lost your drive, the probability data being recover can possible, the data can be use in wrong way by someone who not doing “good thing”!

Methodology #

First thing we will create the cases from the drive by filled that drive with some information, and this howto will to reproduce in my own property.

Requirements #

This things what we gonna use in our methodology.

Laptop: Linux powered inside (ssh-ing).
Redacted Drive: Generic 2GB drive (microsd).
SBC Server: Linux powered inside.

Drive Identifying #

My server identifying redacted drive name with Bus 001 Device 003: ID 05e3:0736 Genesys Logic, Inc. Colour arc SD Card Reader [PISEN], that the card reader.

┌[ root@server: ~ ]
└# lsusb
Bus 002 Device 002: ID 11b0:3306 ATECH FLASH TECHNOLOGY UHS-II SD Reader
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 05e3:0736 Genesys Logic, Inc. Colour arc SD Card Reader [PISEN]
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

/dev/sdb This location of drive on my server.

┌[ root@server: ~ ]
└# fdisk -l
Disk /dev/sdb: 1.84 GiB, 1979711488 bytes, 3866624 sectors
Disk model: STORAGE DEVICE
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: E7059FBB-D001-C54B-B439-D0DAB999EDD1

Device     Start     End Sectors  Size Type
/dev/sdb1   2048 3866590 3864543  1.8G Linux filesystem

This drive is empty and mounted into /root/sdcard.

┌[ root@server: sdcard ]
└# df -h
Filesystem      Size  Used Avail Use% Mounted on
udev            1.7G     0  1.7G   0% /dev
tmpfs           366M  7.4M  359M   3% /run
/dev/mmcblk2p2   28G  3.5G   25G  13% /
tmpfs           1.8G     0  1.8G   0% /dev/shm
tmpfs           5.0M     0  5.0M   0% /run/lock
tmpfs           1.8G     0  1.8G   0% /tmp
tmpfs            50M   12K   50M   1% /var/log
/dev/mmcblk2p1  510M  155M  356M  31% /boot
/dev/sdb1       1.9G  4.0K  1.9G   1% /root/sdcard #this is the drive (microsd)

┌[ root@server: sdcard ]
└# pwd
/root/sdcard

┌[ root@server: sdcard ]
└# ls -la
total 8
drwxr-xr-x 2 root root 4096 Jan  1  1970 .
drwx------ 6 root root 4096 Apr 11 16:00 ..

Create Case #

What we gonna do now, fill this drive with some information.

┌[ root@server: sdcard ]
└# pwd
/root/sdcard

┌[ root@server: sdcard ]
└# file *
fav.png:     PNG image data, 3264 x 3264, 8-bit/color RGBA, non-interlaced
file0.txt:   ASCII text
file.pdf:    PDF document, version 1.6 (password protected)
file.png:    PNG image data, 1366 x 768, 8-bit/color RGB, non-interlaced
file.txt:    ASCII text
public0.mp4: ISO Media, MP4 v2 [ISO 14496-14]
public.mp4:  ISO Media, MP4 Base Media v1 [IS0 14496-12:2003]

┌[ root@server: sdcard ]
└# cat file.txt
Hi, this is redacted 2GB drive what we use in our posts.

Next step is the most important thing, verifying signature of file with hash and put hash value into hash.txt file.

┌[ root@server: sdcard ]
└# md5sum * | tee hash.txt
b286ff3890f983771306830e4f6a3124  fav.png
39c99989b49f21b081a562a68e6725fa  file0.txt
4e34290b25a81c1132b46be57d181ad4  file.pdf
8df40f3ddc6a41d669b340aca92cacdc  file.png
ebf111ea1445619bd763e2c2cd86cff2  file.txt
f58a1f438be27942cd27fd8900c895d3  public0.mp4
8485cb696c4ad7e890b31e6a38cf9896  public.mp4

┌[ root@server: sdcard ]
└# ls -la hash.txt
-rwxr-xr-x 1 root root 306 Apr 11 16:29 hash.txt

That not enough, to make more convidently if that really the file we create, we will create hash value for hash.txt to ensure that file recovered with no any changes and we will put result of hash.txt into other drive and the output file is hash4hash.txt.

┌[ root@server: sdcard ]
└# md5sum hash.txt | tee ../hash4hash.txt
02df7406ef25ecbcc01e9073d43bb9ad  hash.txt

┌[ root@server: sdcard ]
└# ls -la ../hash4hash.txt
-rw-r--r-- 1 root root 43 Apr 11 16:41 ../hash4hash.txt

┌[ root@server: sdcard ]
└# cat ../hash4hash.txt
02df7406ef25ecbcc01e9073d43bb9ad  hash.txt

Create an incident #

Alright, after done creating the case, now! we gonna try to destroy the data. But hold on, before we do that lets create clone of drive, for what? to be good at DFIR specialist, that kind of ethical one should we do.

┌[ root@server: ~ ]
└# dd if=/dev/sdb of=sdcard.img status=progress
1967636992 bytes (2.0 GB, 1.8 GiB) copied, 114 s, 17.3 MB/s
3866624+0 records in
3866624+0 records out
1979711488 bytes (2.0 GB, 1.8 GiB) copied, 114.69 s, 17.3 MB/s

┌[ root@server: ~ ]
└# ls -la sdcard.img
-rw-r--r-- 1 root root 1979711488 Apr 11 17:00 sdcard.img

┌[ root@server: ~ ]
└# md5sum sdcard.img
73a8c7dd2d99212e7cb992b7f8f48f88  sdcard.img

The original cloned of this drive soon will use to compare with affected drive, that stand for verifying that drive have been affected before. Then what? lets destroy it, lets delete all file in /root/sdcard, that mounted drive will affected.

┌[ root@server: sdcard ]
└# ls
fav.png  file0.txt  file.pdf  file.png  file.txt  hash.txt  public0.mp4  public.mp4

┌[ root@server: sdcard ]
└# rm -rf *

┌[ root@server: sdcard ]
└# ls

┌[ root@server: sdcard ]
└# ls -la
total 8
drwxr-xr-x 2 root root 4096 Jan  1  1970 .
drwx------ 6 root root 4096 Apr 11 16:58 ..

┌[ root@server: sdcard ]
└# pwd
/root/sdcard

Then GONE!!!

Insident Response (Recovering) #

Now time to prove, that just deleted data can be recover! In this time lets assumming we lost the drive or we dont need this drive anymore! so, we just throw it to trash bag or we sell this drive to someone. Then someone with bit “knowledge” own that drive, and wannna try to recover what the inside. This first thing what he does! cloning the drive into affected_sdcard.img file.

┌[ root@server: ~ ]
└# dd if=/dev/sdb of=affected_sdcard.img status=progress
1970102784 bytes (2.0 GB, 1.8 GiB) copied, 115 s, 17.1 MB/s
3866624+0 records in
3866624+0 records out
1979711488 bytes (2.0 GB, 1.8 GiB) copied, 115.55 s, 17.1 MB/s

┌[ root@server: ~ ]
└# ls -l
total 3866640
-rw-r--r-- 1 root root 1979711488 Apr 11 17:36 affected_sdcard.img
-rw-r--r-- 1 root root         43 Apr 11 16:41 hash4hash.txt
drwxr-xr-x 2 root root       4096 Jan  1  1970 sdcard
-rw-r--r-- 1 root root 1979711488 Apr 11 17:00 sdcard.img

Then he will unplug the affected drive and working on cloned affected_sdcard.img file one, then verifying signature of this file, and create cloned one for backup.

┌[ root@server: ~ ]
└# md5sum *.img
166048b423899e3c8a176a1fd1bcdedd  affected_sdcard.img
73a8c7dd2d99212e7cb992b7f8f48f88  sdcard.img

┌[ root@server: ~ ]
└# cp affected_sdcard.img affected_sdcard.img.backup

┌[ root@server: ~ ]
└# ls -l
total 5799956
-rw-r--r-- 1 root root 1979711488 Apr 11 17:36 affected_sdcard.img
-rw-r--r-- 1 root root 1979711488 Apr 11 17:48 affected_sdcard.img.backup
-rw-r--r-- 1 root root         43 Apr 11 16:41 hash4hash.txt
drwxr-xr-x 2 root root       4096 Jan  1  1970 sdcard
-rw-r--r-- 1 root root 1979711488 Apr 11 17:00 sdcard.img

As you can see the value of both file sdcard.img and affected_sdcard are diffrent.

File Name	File Hash
sdcard.img	166048b423899e3c8a176a1fd1bcdedd
affected_sdcard.img	73a8c7dd2d99212e7cb992b7f8f48f88

Then, what that mean? that mean file what we have been destroy before are create changes to hash value. Hash value are use in digital integrities to prevent miss used. Then what the next step? its recovery time!

This what we need to type, like i said before! he will working on cloned affected one and he will verifying what the type of filesystem is.

┌[ root@server: ~ ]
└# file *.img
affected_sdcard.img: DOS/MBR boot sector; partition 1 : ID=0x83, start-CHS (0x0,33,3), end-CHS (0x3fe,22,56), startsector 2048, 3864576 sectors, extended partition table (last)
sdcard.img:          DOS/MBR boot sector; partition 1 : ID=0x83, start-CHS (0x0,33,3), end-CHS (0x3fe,22,56), startsector 2048, 3864576 sectors, extended partition table (last)

By knowing what type of filesystem, he can produce what best fit on for this case. In this case DOS/MBR boot sector that mean the format of file system used for boot sector, boot sector are need to be FAT filesystem to boot! so, it can be FAT12/16/32, and he will try recover what the inside. here what he does!

┌[ root@server: ~ ]
└# md5sum affected_sdcard.img
166048b423899e3c8a176a1fd1bcdedd  affected_sdcard.img

┌[ root@server: ~ ]
└# mkdir prove_cases

┌[ root@server: ~ ]
└# photorec affected_sdcard.img

Disk affected_sdcard.img - 1979 MB / 1888 MiB (RO)
     Partition                  Start        End    Size in sectors
 1 P Linux                    0  32 33   240 174 62    3864576


16688 files saved in /root/prove_cases/recup_dir directory.
Recovery completed.

The command up there is, to ensuring again affected_sdcard.img are still same as before. next is create directory/folder for recovered files, Then he using photorec for tools, and it show 16688 files recovered and save /root/prove_cases directory. After that he goes to /root/prove_cases then working on it.

┌[ root@server: prove_cases ]
└# pwd
/root/prove_cases

┌[ root@server: prove_cases ]
└# ls
recup_dir.1   recup_dir.12  recup_dir.15  recup_dir.18  recup_dir.20  recup_dir.23  recup_dir.26  recup_dir.29  recup_dir.31  recup_dir.34  recup_dir.6  recup_dir.9
recup_dir.10  recup_dir.13  recup_dir.16  recup_dir.19  recup_dir.21  recup_dir.24  recup_dir.27  recup_dir.3   recup_dir.32  recup_dir.4   recup_dir.7
recup_dir.11  recup_dir.14  recup_dir.17  recup_dir.2   recup_dir.22  recup_dir.25  recup_dir.28  recup_dir.30  recup_dir.33  recup_dir.5   recup_dir.8


┌[ root@server: prove_cases ]
└# find . | head -n 10 ; find . | wc -l ; ls -l | wc -l
.
./recup_dir.34
./recup_dir.34/f3266560.elf
./recup_dir.34/f2630096.txt
./recup_dir.34/f2631000.sh
./recup_dir.34/f2630088.txt
./recup_dir.34/f3170512.txt
./recup_dir.34/f2630576.txt
./recup_dir.34/f2630384.sh
./recup_dir.34/f2422832.sh
16724
35

As you can see, “lot of directory here” he said, there in 16724 list of file there. So why the number diffrent between up there?

That because:
16724 - 16688 = 36?

So what is 36? 36 are the directory + dot (.) + total count output of list here the prove.

# this find anomaly
┌[ root@server: prove_cases ]
└# find . | head -n 1
. 				#This line count as 1

┌[ root@server: prove_cases ]
└# find . | head -n 1 | wc -l
1

# this ls anomaly
┌[ root@server: prove_cases ]
└# ls -l | head -n 1
total 664			#This line count as 1

┌[ root@server: prove_cases ]
└# ls -l | head -n 1 | wc -l
1

So, 36 - 1 -1 = 34

EZ aight?

Then the next step is, how did he can find the correct one for all those file? if we back to the top it just 7 files maybe, 7 : 16688 how he can find it?

Here is how! Lets assuming he have the previous hash4hash.txt file and he will try to find signature of hash.txt by using these file.

┌[ root@server: ~ ]
└# pwd
/root

┌[ root@server: ~ ]
└# cat hash4hash.txt
02df7406ef25ecbcc01e9073d43bb9ad  hash.txt

File up there is the output before that we create.

Then he try to use hash of hash.txt to find where is the all those signature corect files.

┌[ root@server: prove_cases ]
└# md5sum $( find . ) | grep "02df7406ef25ecbcc01e9073d43bb9ad"
md5sum: .: Is a directory
md5sum: ./recup_dir.34: Is a directory
md5sum: ./recup_dir.18: Is a directory
md5sum: ./recup_dir.4: Is a directory
md5sum: ./recup_dir.10: Is a directory
md5sum: ./recup_dir.32: Is a directory
md5sum: ./recup_dir.15: Is a directory
md5sum: ./recup_dir.19: Is a directory
md5sum: ./recup_dir.14: Is a directory
md5sum: ./recup_dir.30: Is a directory
md5sum: ./recup_dir.27: Is a directory
md5sum: ./recup_dir.21: Is a directory
md5sum: ./recup_dir.33: Is a directory
md5sum: ./recup_dir.13: Is a directory
md5sum: ./recup_dir.3: Is a directory
md5sum: ./recup_dir.1: Is a directory
02df7406ef25ecbcc01e9073d43bb9ad  ./recup_dir.1/f0350056.txt
md5sum: ./recup_dir.9: Is a directory
md5sum: ./recup_dir.8: Is a directory
md5sum: ./recup_dir.6: Is a directory
md5sum: ./recup_dir.31: Is a directory
md5sum: ./recup_dir.24: Is a directory
md5sum: ./recup_dir.11: Is a directory
md5sum: ./recup_dir.28: Is a directory
md5sum: ./recup_dir.26: Is a directory
md5sum: ./recup_dir.2: Is a directory
md5sum: ./recup_dir.12: Is a directory
md5sum: ./recup_dir.22: Is a directory
md5sum: ./recup_dir.17: Is a directory
md5sum: ./recup_dir.29: Is a directory
md5sum: ./recup_dir.20: Is a directory
md5sum: ./recup_dir.16: Is a directory
md5sum: ./recup_dir.5: Is a directory
md5sum: ./recup_dir.7: Is a directory
md5sum: ./recup_dir.25: Is a directory
md5sum: ./recup_dir.23: Is a directory
┌[ root@server: prove_cases ]
└#

This match, lets go! Then how to prove? here it is.

┌[ root@server: prove_cases ]
└# cp ./recup_dir.1/f0350056.txt .

┌[ root@server: prove_cases ]
└# ls -la f0350056.txt
-rw-r--r-- 1 root root 306 Apr 11 20:56 f0350056.txt

┌[ root@server: prove_cases ]
└# cat f0350056.txt
b286ff3890f983771306830e4f6a3124  fav.png
39c99989b49f21b081a562a68e6725fa  file0.txt
4e34290b25a81c1132b46be57d181ad4  file.pdf
8df40f3ddc6a41d669b340aca92cacdc  file.png
ebf111ea1445619bd763e2c2cd86cff2  file.txt
f58a1f438be27942cd27fd8900c895d3  public0.mp4
8485cb696c4ad7e890b31e6a38cf9896  public.mp4

Here the list signature of previous file! then he try to retrive all those by this command.

md5sum $( find . ) | grep "b286ff3890f983771306830e4f6a3124\|39c99989b49f21b081a562a68e6725fa\|4e34290b25a81c1132b46be57d181ad4\|8df40f3ddc6a41d669b340aca92cacdc\|ebf111ea1445619bd763e2c2cd86cff2\|f58a1f438be27942cd27fd8900c895d3\|8485cb696c4ad7e890b31e6a38cf9896"

┌[ root@server: prove_cases ]
└# md5sum $( find . ) | grep "b286ff3890f983771306830e4f6a3124\|39c99989b49f21b081a562a68e6725fa\|4e34290b25a81c1132b46be57d181ad4\|8df40f3ddc6a41d669b340aca92cacdc\|ebf111ea1445619bd763e2c2cd86cff2\|f58a1f438be27942cd27fd8900c895d3\|8485cb696c4ad7e890b31e6a38cf9896"
md5sum: .: Is a directory
md5sum: ./recup_dir.34: Is a directory
md5sum: ./recup_dir.18: Is a directory
md5sum: ./recup_dir.4: Is a directory
md5sum: ./recup_dir.10: Is a directory
md5sum: ./recup_dir.32: Is a directory
md5sum: ./recup_dir.15: Is a directory
md5sum: ./recup_dir.19: Is a directory
md5sum: ./recup_dir.14: Is a directory
md5sum: ./recup_dir.30: Is a directory
md5sum: ./recup_dir.27: Is a directory
md5sum: ./recup_dir.21: Is a directory
md5sum: ./recup_dir.33: Is a directory
md5sum: ./recup_dir.13: Is a directory
md5sum: ./recup_dir.3: Is a directory
md5sum: ./recup_dir.1: Is a directory
39c99989b49f21b081a562a68e6725fa  ./recup_dir.1/f0007584.txt
8485cb696c4ad7e890b31e6a38cf9896  ./recup_dir.1/f0033880.mp4
8df40f3ddc6a41d669b340aca92cacdc  ./recup_dir.1/f0008968.png
4e34290b25a81c1132b46be57d181ad4  ./recup_dir.1/f0329088.pdf
f58a1f438be27942cd27fd8900c895d3  ./recup_dir.1/f0015128.mp4
b286ff3890f983771306830e4f6a3124  ./recup_dir.1/f0007720.png
md5sum: ./recup_dir.9: Is a directory
md5sum: ./recup_dir.8: Is a directory
md5sum: ./recup_dir.6: Is a directory
md5sum: ./recup_dir.31: Is a directory
md5sum: ./recup_dir.24: Is a directory
md5sum: ./recup_dir.11: Is a directory
md5sum: ./recup_dir.28: Is a directory
md5sum: ./recup_dir.26: Is a directory
md5sum: ./recup_dir.2: Is a directory
md5sum: ./recup_dir.12: Is a directory
md5sum: ./recup_dir.22: Is a directory
md5sum: ./recup_dir.17: Is a directory
md5sum: ./recup_dir.29: Is a directory
md5sum: ./recup_dir.20: Is a directory
md5sum: ./recup_dir.16: Is a directory
md5sum: ./recup_dir.5: Is a directory
md5sum: ./recup_dir.7: Is a directory
md5sum: ./recup_dir.25: Is a directory
md5sum: ./recup_dir.23: Is a directory
┌[ root@server: prove_cases ]
└#

Six are match. The previous, we delete 8 files include hash.txt, but in this cases we just successfully recover 7.

So where is the anti-forensic technique? HERE

Conclusion #

Successfully with bit of fails.

Status: Success, This successfully recovered files.

MD5 Hash	File Recovered	File Origin
39c99989b49f21b081a562a68e6725fa	./recup_dir.1/f0007584.txt	file0.txt
8485cb696c4ad7e890b31e6a38cf9896	./recup_dir.1/f0033880.mp4	public.mp4
8df40f3ddc6a41d669b340aca92cacdc	./recup_dir.1/f0008968.png	file.png
4e34290b25a81c1132b46be57d181ad4	./recup_dir.1/f0329088.pdf	file.pdf
f58a1f438be27942cd27fd8900c895d3	./recup_dir.1/f0015128.mp4	public0.mp4
b286ff3890f983771306830e4f6a3124	./recup_dir.1/f0007720.png	fav.png
02df7406ef25ecbcc01e9073d43bb9ad	./recup_dir.1/f0350056.txt	hash.txt

Status: Failure, This one file is fail to recover.
MD5 Hash File Recovered File Origin
ebf111ea1445619bd763e2c2cd86cff2 Failed file.txt

MD5 Hash	File Recovered	File Origin
ebf111ea1445619bd763e2c2cd86cff2	Failed	file.txt

One learn after:
As we know, the world isn’t smooth like butter.

←

Get-rid Bufferbloat and Speed Up your Network with SQM in Linux

Built Cheap Overpower Router using Tvbox

→