forensics – recoverjpeg

Recoverjpeg is a forensics tool used for file carving on the Backtrack 5 operating system. Recoveryjpeg searches for JPEG files on a drive and recovers them. It even went so far as to recover JPEGs from a previous files system installed on the drive that was carved.

backtrack 5r1 on a usb stick booted on a pc with windows xp on. The idea is to recover any deleted pictures.

1. create a new folder on desktop called dump

2. move to this folder
root@root:~# cd Desktop/dump

3. find the drive you want to search
root@root:~/Desktop/dump# fdisk -l

Device Boot      Start         End      Blocks   Id  System
/dev/sda1   *           1        4124    4812451+   7   NTFS

4. recover deleted pics

root@root:~/Desktop/dump# recoverjpeg /dev/sda1
Recovered files:  533        Analyzed: 45.3 GiB

===============================================

fdisk options

Usage:
fdisk [options] <disk>    change partition table
fdisk [options] -l <disk> list partition table(s)
fdisk -s <partition>      give partition size(s) in blocks

Options:
-b <size>                 sector size (512, 1024, 2048 or 4096)
-c                        switch off DOS-compatible mode
-h                        print help
-u <size>                 give sizes in sectors instead of cylinders
-v                        print version
-C <number>               specify the number of cylinders
-H <number>               specify the number of heads
-S <number>               specify the number of sectors per track

One thought on “forensics – recoverjpeg

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s