Jump to content

Search the Community

Showing results for tags 'foregone'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Informatii generale
    • Anunturi importante
    • Bine ai venit
    • Proiecte RST
  • Sectiunea tehnica
    • Exploituri
    • Challenges (CTF)
    • Bug Bounty
    • Programare
    • Securitate web
    • Reverse engineering & exploit development
    • Mobile security
    • Sisteme de operare si discutii hardware
    • Electronica
    • Wireless Pentesting
    • Black SEO & monetizare
  • Tutoriale
    • Tutoriale in romana
    • Tutoriale in engleza
    • Tutoriale video
  • Programe
    • Programe hacking
    • Programe securitate
    • Programe utile
    • Free stuff
  • Discutii generale
    • RST Market
    • Off-topic
    • Discutii incepatori
    • Stiri securitate
    • Linkuri
    • Cosul de gunoi
  • Club Test's Topics
  • Clubul saraciei absolute's Topics
  • Chernobyl Hackers's Topics
  • Programming & Fun's Jokes / Funny pictures (programming related!)
  • Programming & Fun's Programming
  • Programming & Fun's Programming challenges
  • Bani pă net's Topics
  • Cumparaturi online's Topics
  • Web Development's Forum
  • 3D Print's Topics

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Website URL


Yahoo


Jabber


Skype


Location


Interests


Occupation


Interests


Biography


Location

Found 1 result

  1. Author(s) Joe Stewart Latest Version 0.1 Description Foregone is a forensic file recovery tool written in Perl. It was inspired by the Air Force Office of Special Investigations' forensic tool known as "Foremost", which uses defined headers and footers of certain file types to search a raw disk image and extract files with those characteristics. Foregone is a Perl implementation of the same technique with some added features: Only searches for headers starting on a block boundary, for a speed increase Uses compression to reject interleaved blocks of dissimilar files Foregone should not be considered an investigative-level forensic tool, but merely a utility that may help you recover files from a corrupted filesystem. #!/usr/bin/perl use Compress::Zlib; ## foregone.pl - recover files of a given type from a raw disk image even if ## interleaved with other blocks (blocks must be in correct order) ## ## (c)2003-2006 Joe Stewart <jstewart@lurhq.com> ## ## Foregone is released under the GNU General Public License. ## examples ## ## PDF ## ## my $header = "\x25\x50\x44\x46\x2D"; ## my $footer = "\x25\x25\x45\x4F\x46"; ## my $extension = "pdf"; ## my $mustfind = ""; ## my $mustfind2 = ""; ## GNUCASH ## ## my $header = "<?xml version=\"1.0\"?>\n<gnc-"; ## my $footer = "<!-- End: -->"; ## my $extension = "xml"; ## my $mustfind = "<act"; ## my $mustfind2 = "<trn"; ## JPEG ## my $header = "\xff\xd8\xff\xe0"; my $footer = "\xff\xd9"; my $extension = "jpg"; my $mustfind = ""; my $mustfind2 = ""; ## Blocksize of filesystem being read ## my $blocksize = 1024; ## Threshold to reject blocks based on compressed size ## compares initial block size when compressed with subsequent block ## sizes when compressed ... good at rejecting dissimliar types of data ## More than this zthreshold percent deviation will result in rejection ## Adjust as needed depending on how many bad blocks you get in output my $zthreshold = 50; ## maximum size of any output file ## my $maxbytes = 3000000; ## directory to write recovered files. Will be created if it doesn't exist ## my $recoverdir = "foregone-recover"; my $image = $ARGV[0]; my $size = (stat($image))[7]; my $buf = ""; my $buflength = length($header); my $found = 0; my $outbytes = 0; my $pos = 0; die "Usage: $0 <disk image>\n" unless $image; open (IN, $image) or die "Could not open $image : $!\n"; unless (-e "$recoverdir") { mkdir("$recoverdir", 0755) or die "Could not create $recoverdir : $1\n"; } while ($pos < $size) { my $blockpos = $pos; read(IN,$buf,$buflength) or last; $percent = ($pos / $size) * 100; printf("Looking at first %s bytes of block at offset $pos (%.2f%% done)\r", $buflength, $percent); if ($buf eq $header) { print "\nHeader match at $pos\n"; print "Extracting file...\n"; &extract_file; } $pos += $blocksize; seek(IN,$pos, 0) or die "\ncould not seek to $pos"; } print "\nFinished.\n"; close IN; sub extract_file { $found++; my $filename = sprintf("recovered.%05d.%s", $found, $extension); open(OUT, ">$recoverdir/$filename") or die "Couldn't write output file!\n"; print OUT $buf; my $tmpblocksize = $blocksize - $buflength; while ($pos < $size) { read(IN,$block,$tmpblocksize) or last; $tmpblocksize = $blocksize; my $zblock = compress($block); my $zblocklength = length($zblock); if (!$zfirstblock) { $zfirstblock = $zblocklength; $lowerlimit = ((100 - $zthreshold) / 100) * $zfirstblock; $upperlimit = ((100 + $zthreshold) / 100) * $zfirstblock; } else { if ($block !~ /$footer/) { # compressed block size is too different. reject it. if ($zblocklength > $upperlimit || $zblocklength < $lowerlimit) { print "Rejected block: compressed size = $zblocklength : $lowerlimit < $zfirstblock > $upperlimit\n"; next; } } } if ($mustfind) { next unless $block =~ /$mustfind|$mustfind2/; } if ($block =~ /$footer/ || $outbytes + $blocksize > $maxbytes ) { my ($blockt, $garbage) = split(/$footer/, $block); print OUT $blockt . $footer; $outbytes += length($blockt) + length($footer); if (length($blockt) + length($footer) == $blocksize) { print "Failed to truncate last block\n" } last; } $outbytes += $blocksize; print OUT $block; } print "Wrote $recoverdir/$filename ($outbytes bytes)\n"; $outbytes = 0; close OUT; } Source
×
×
  • Create New...