Updated June 13, 2023
Introduction to Data Recovery Techniques
Data Recovery Techniques are an essential part of Digital Forensics. It’s critical for Ethical hackers and penetration testers, and ordinary people in our day-to-day life. Most of you may even think that all your data is gone once you have formatted your hard drive or cell phone. But that’s not the true fact. Data can be recovered in any manner. Besides, if it’s just formatting, data recovery techniques are easy and can be done with simple and free online tools. But to novice people who don’t know about this, data recovery techniques can be a deal-breaking situation.
Some of you may not even know what Data Recovery techniques are and the aspects of Digital Forensics. So, Let’s take a deeper look into that.
Most of you may think your data is secured once you have a password-protected hard disk drive. And if you delete everything and then format it again, you would think it is gone, eh? But that’s not the case. And this is where Digital Forensics comes into play.
Digital forensics is part of Ethical hacking. It deals with Data Recovery techniques and data manipulation, tracking down the source of images, videos, and mp3s uploaded online. Digital Forensics is a diverse category to deal with. It also comprises scanning, repairing, and gathering Intel out of the most corrupted hard disk drives and other devices like Cell phones, PDAs, portable computers, biometrics, and many more. Thus, Data Recovery techniques are essential to Cybercrime since enough data about a specific hacker/party would help solve the crime quickly. If not, then at least the recovered data could help identify the hacker’s working method.
Daily Life Scenario
Now you think: Ok, that’s fine for a White Hat and a Penetration tester, but how is that useful in our daily life? Let me give you a real-life scenario.
Scenario I: Nexus 5 Revelation
During the days when I started learning about hacking and stuff, I was a gadget freak. I have always had the habit of purchasing and experimenting with many devices. But since money is an issue, I used to purchase second-hand cell phones sold on eBay, Olx, or from roadside sellers for a quarter of the original price. Not so long back, when I was experimenting with a Nexus 5 I purchased from eBay for 8K, I lost a lot of data inside it. The stuff happened something like this:
Nexus 5 Bootloader
After I purchased the Nexus 5, it was fully formatted by the previous owner. I rooted it, installed Cyanogen Mod 11.00 (CM11-KitKat), and installed a whole AK kernel. It worked so fine that I started using it as my daily driver. But when I tried to overclock it, the phone went dead. The battery was burnt due to overload. I purchased another battery and soldered it. But when I started the Cell, it was stuck on the boot loop (Bootloop meaning never-ending loading at loading screen on start-up).
So, I had to reinstall the whole OS. But since I wanted to recover all the data I had inside it, I had to do some monkey gimmicks to recover it. It was not a straightforward situation. And when I say data recovery techniques, I don’t mean internal data. I meant the actual phone data, including settings and other important information stored on the device. So, I started looking online for data recovery training tools for free and found the Safecopy tool for Linux. I had the upper hand in Linux but never knew anything about it. I installed it by typing:
$apt-get install a safe copy
Once installed, I tried to make a whole disk image of the data and cache partition using Safecopy using the below command:
$safecopy /dev/Nexus5 nexus5.iso
. My data was 5-6 gigs, but the recovered data was around 14 gigs. I was shocked to see that. Since I was desperate and curious to regain my data without corruption, I also used ADB tools (Android Debug Bridge) to back up.
I installed ADB tools in Linux by typing:
$apt-get install android-tools-ADB
I used the following command to take the full backup of my cell phone:
$adb backup -apk -shared -all -f /root/temp.ab
If you just want to backup without the apk, you can use either of the following:
$adb backup -all -f /root/temp.ab
However, you can check the help command for more flags and options.
Now comes the most shocking part. It took approximately 3-4 hours to get the full backup of the cell phone. After completing the process, I received a total file of 33 gigs, and I was shell-shocked when I saw it. My Nexus 5 had a total storage capacity of 16 gigs, but I only had 12 gigs available for storage. However, I had only used up to 5-6 gigs of the open space. Then, from where the heck did the remaining 26 gigs come from? The worst question was, where was it all stored? Confused about this, I used SQLite Viewer to view the backup file before I could restore it, and what I saw was unbelievable. I not only took a backup of my data but also restored all the data the previous owner had stored.
I could view the Facebook chats and WeChat data using the SQLite browser and the SQLite Viewer. It was just a matter of time before I could separate the old recovery data from my own data. I could have also recovered the SMS and the contacts info using the infamous Sleuth Kit, but I thought to give it some time before I could master the basic Database Recovery. I also recovered the Whatsapp database, and with a little bit of social engineering, I also hacked the encrypted key of the person from whom I had purchased the Cell Phone. However, later on, I called the specific person since he was a humble man and informed him about the issues that could have happened if this was to fall into the wrong hands.
Scenario II: The Kevin Mitnick Method
I doubt whether most of you may have heard of the infamous hacker Kevin Mitnick. He has written loads of books related to Social Engineering and Hacking. He was on the FBI’s most-wanted list and served five years in prison for the same, but was released since much evidence was not found against him. You may be wondering why I am saying this. The reason for that is that; Kevin was an excellent Social Engineer. And I have used several of his tricks to penetrate websites and organizations (legally, obviously). He used to do very well since he used to impersonate someone like himself, gain physical access to an organization, and then hack it. He also used to do dumpster driving through which he could gain access to sensitive files thrown away as rubbish in the garbage.
When I read his book “Art of Deception,” I thought, let’s try it. And this was two years back when I worked in a different IT organization. I knew that every three years, the company kept itself up-to-date by changing some of the hardware and used to sell these components to the highest bidder on eBay in lots. Seemingly I purchased a few hard drives from over there. It was all clean and formatted and slow. So, I used this tool known as EASEUS Data Recovery Techniques to recover deleted data. Then, I didn’t know about safe copy. So, I used this Data Recovery training software. I used the trial version first and found lots of files, but I couldn’t recover them because it was severely damaged.
Besides, the files shown as ‘can be recovered files’ were over 2-3 years old. So, I had a live disk, which was Knoppix, the famous live disk, to troubleshoot anything. Later, I realized that what I did could be done through any Linux distribution, not just Knoppix. I used the dd command to clone the whole hard disk and scan it sectorally. dd is a disk utility copying tool for Linux. You can specify almost everything from the block size to cloning a whole drive here.
I used the following command to clone the hard disk:
$dd if=/dev/sdb1 of=/root/tempclone.iso bs=2048
You can specify any block size you wish, ranging from 512k to 4096, until you know what you are doing. Here dd is asking the computer to check for a drive with the label sdb1, and if it is there, makes a copy of the whole disk into an iso or an image file depending upon your usage with the block size to be of 2048k and then save it to the root directory with the name of tempclone.iso. You can also reverse the process of converting an iso clone into a physical HDD by typing the following:
$dd if=/root/tempclone.iso of=/dev/sdb1 bs=1024
Here, I always prefer o use the low-side block size due to personal preference. You can increase it if you want, but I had terrible experiences with it in the past. Thus the low block size.
So, by cloning the HDD, you now have a full clone of the whole HDD on your computer. But note that this won’t work on a plain, formatted HDD since there is nothing to clone. First, you must recover the corrupted data using good disk recovery software like EASEUS; it’s not an issue, even if it’s unreadable. Once recovered, you can clone it using the dd command. This is because if your hard disk has irrecoverable bad sectors, the hard disk won’t even allow you to read the remaining chunk of data near that sector. But we can do that by cloning the drive. Once cloned, you can use the following tools to identify and remove the bad sectors and save only the good and recoverable sectors and then read it.:
- Check Flash
- Chip Genius
So, by doing this, I extracted approximately 390 gigs of data out of the 500 gigs hard drive, and out of which I could recover uncorrupted data of about 236 gigabytes. This was a severe issue since the information I received was highly confidential. I looked into the data and discovered that the hard drive contained Salary, Provident Fund, and other accounting information the Human Resources team used.
I quickly took this information back to the IT departmental head and informed him about this, but no proper actions were taken since this is India. I recommended that the company destroy the hard disks rather than sell them because this could be a nightmare if the details of the bank account information get into the wrong hands. I was asked to stand down, but I received a promotion due to this, which is a different story altogether.
Digital Forensics and Data Recovery Techniques: Aftermath
But the point is that data recovery techniques apply to every other organization and ordinary people using electronic devices to store confidential data. I could go on and on about this, but that doesn’t matter. The critical thing to know is how to destroy digital forensics evidence. Hackers nowadays use LUKS encryption to destroy data if someone tampers with it, which overwrites every byte with zeros rather than any other hexadecimal number. This, however, makes the data recovery techniques useless. But again, it’s not child’s play for everyone to use LUKS encryption. Besides, using LUKS encryption has a significant disadvantage: if you forget the password to the stored data, it cannot be recovered, no matter what. You will be stuck forever. But obviously, no one should have access to the data rather than some thief using it for malicious purposes.
Data Recovery Techniques and Digital Forensics are other vital reasons hackers typically destroy all the data with secure deletion from the victim or slave computer once their work is done so that nothing can be traced back to them. There is always more to it than it seems. Data Recovery Techniques, like any other thing on the planet, are a boon and a curse. They are two sides of the same coin. You cannot save one while destroying the other.
First Image Source: Pixabay.com
Here are some articles that will help you to get more detail about Digital forensics and the Important Aspects of Data Recovery techniques, so go through the link.