Direct hard drive access and recovering deleted files.

This page will be covering accessing hard drives on a "low level". This is useful for cloning hard drives, wiping hard drives and recovering deleted files. Cloning a hard drive is useful when replacing a hard drive and starting off right where you left off (no reinstalling the OS and applications). Alternatively, a hard drive can be cloned to a file. This can be useful when undeleting files from a hard drive. The dd command is a powerful command that allows us to access a hard drive block by block. What is a block exactly? A block is the smallest addressable section of bytes on a hard drive. In the Windows NTFS file system, the default block size is 4096 bytes.

Before we can use the dd command we need to see the computers block devices (devices that operate at the block level; hard drives, CD-ROM drives, USB drives, etc). Use the lsblk command to list block devices:

lsblk

NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT
loop0 7:0 0 86.6M 1 loop /snap/core/4486
loop1 7:1 0 140M 1 loop /snap/gnome-3-26-1604/59
loop2 7:2 0 1.6M 1 loop /snap/gnome-calculator/154
loop3 7:3 0 12.2M 1 loop /snap/gnome-characters/69
loop4 7:4 0 21M 1 loop /snap/gnome-logs/25
loop5 7:5 0 3.3M 1 loop /snap/gnome-system-monitor/36
sda 8:0 0 32G 0 disk
|_sda1 8:1 0 32G 0 part /
sr0 11:0 1 1024M 0 rom


The main hard drive is listed as /dev/sda. The partitions are listed as /dev/sda1, /dev/sda2, /dev/sdc, etc. The largest partition is typically the main partition with all the data. In this case /dev/sda1 is the main partition

Hot swapping is within the SATA standard. The gotcha is that if you connect power first the hard drive goes into stand by mode and with out a server RAID card to send the wake command, you will need to reboot the drive to make it read. Long story short, plug the SATA cable in before the power. Run the lsblk command again to list the second hard drive. Should come up as /dev/sdb or /dev/sdc.

To clone a hard drive it is important the hard drive being cloned to is either the same size or bigger than the drive it’s cloning from. To clone /dev/sda to /dev/sdb use the following command:

WARNING THIS WILL DESTROY ALL DATA ON /dev/sdb AND OVERWRITE IT WITH THE CONTENTS OF /dev/sda. IF YOU ARE UNSURE KEEP A BACKUP OF ALL DATA ON SEPARATE HARD DRIVES NOT USED IN THIS LAB!


dd if=/dev/sda of=/dev/sdb bs=4096
Breakdown of this command:
if: The "from" drive
of: The "to" drive
bs: block size (Can vary in size but must be defined).

You now have a bit by bit clone of the first hard drives. You could physically swap /dev/sdb to take the spot of /dev/sda and your OS would boot up as if nothing changed!

It is also possible to clone to a file (then clone the file to disk later). Make sure the cloned file is on a separate disk.

dd if=/dev/sda of=/mnt/hdd2/hdd1.img bs=4096

Then to restore the image to a new disk

dd if=/mnt/hdd2/hdd1.img of=/dev/sdb bs=4096


Now that we have a hard drive image to work on we can break out scalpel to recover a peculiar file, a deleted file, a deleted from the recycling bin kind of file. How this works is files are identified at the beginning with a header. This header is simply a sequence of bytes that stays the same at the very start of the file. For example zip would be in hex: 3c ac

Or in binary: 0011 1100 1010 1100

Scalpel will plunge into the disk image ignoring the file system (file paths). It will search beginning to end byte by byte. When it encounters the sequence of bytes above it will stop, carve the bytes from file header until the EOF marker (end of file), it will export that finding as a file. As it has been deleted from the file system the name of the file will not be preserved. Before we can use scalpel two things must be set up. An output folder for the findings and modify /etc/scalpel/scalpel.conf and uncomment the lines with the file headers you are looking for. Once that has been set up the syntax is as follows:

scalpel hardDriveImage.img -o outputDirectory


This will dump all findings under the outputDirectory.

Lastly wiping a hard drive will be covered. If you use this method to wipe a hard drive it is "low level" and scalpel will not be able to recover the files. Simply use dd to read all zeros to the disk

dd if=/dev/zero of=/dev/sda bs=4096


Note that if your adversary(s) have electron microscopes you would need to take 7 passes before you can safely bury the data beyond their tools.