Foremost - Forensic Data Recovery Tool

Foremost is a forensic data recovery integrated tool for Linux used to recover files using their headers, footers, and data structures through a process known as file carving. Although it was developed for law enforcement use, however, it is freely available. It can be used as a general data recovery tool. Foremost can slice FATx, NTFS, ext2/3, or raw partition files independently of the file system. It is helpful for both researching digital forensics and for the retrieval of files.

Before getting into the tool, you have to first insert the disk from which you want to carve or recover the data, you can also recover the files from disk drives. For the sake of the explanation, we are using a SanDisk 8 GigaBit USB Flash Drive. 

  • First, to check whether the USB drive is actually inserted properly or not; we can use the command sudo fdisk -l.
Checking the Disk Location
It shows under the substantial path which is /dev/sdb1 with 7.5G of size means the USB is inserted successfully.
  • Now, to install Foremost utility, using Kali Linux terminal; type sudo apt install foremost -y.

Installing Foremost

  • We have to make the output directory where the recovered file should be store. In this scenario, we are making a directory CFB on Desktop using the command mkdir.
Output Directory
  • You can use the help command for a better understanding of the tool.
Help Command of Foremost
Take your time and go through all the options in the tool. Here we will discuss some basic commands.
  • The scenario here is to recover the images (JPEG) from the USB (/dev/sdb1).
  • Flags we will be using are -i, -a, -t, -T
Recovery process
  • A new directory is created, cd to that directory and you will also, data was recovered.
Recovered Files
You can specify any file extension and recover the data. 
We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Foremost is a forensic data recovery integrated tool for Linux used to recover files using their headers, footers, and data struct...

Reverse Engineering: Ghidra

Ghidra made headlines lately when the NSA open-sourced the reverse-engineering framework. It supports Windows, macOS, and Linux. Its feature set includes disassembly, assembly, decompilation, graphing, and scripting.


Ghidra is a Software Reverse Engineering (SRE) framework. It helps analyze malicious code and malware like viruses and can give cybersecurity professionals a better understanding of potential vulnerabilities in their networks and systems.


In addition, it supports an array of process instruction sets and executable formats that can run in either interactive or automated modes. What's more, the program is customizable by writing plugins or scripts using Python or Java. It can be run in both user-interface or command line mode, while Its GUI is designed for fewer expert users and features assembler, disassembler, decompiler, and other features including processor instruction sets and executable formats.

When decompiling a code, if you select a portion of the assembly, it automatically highlights in the decompiler window the decompiled code, providing a good way of understanding how high-level code matches the disassembled code.

In order to run, it requires Java along with Java SE Development Kit 11 or above to be installed. Follow the installation guide on Ghidra,

Features of Ghidra

Context Help

Ghidra comes with a contextual menu, by hovering over the most interface elements and pressing F1, a pop-up window with the help menu appears providing the user with more information.

Organize project sections

Ghidra can organize your project sections of disassembly code in various ways, just by hitting right click on the folder of your project, select “Modularize By” and choose between “Subroutine”, “Complexity Depth” or “Dominance”.

The next window under “Program Trees” is “Symbol Tree” which enables viewing import, export, functions, labels, classes, and namespaces of a binary file

Listing Window

“Listing” window. Here you can see the reverse-engineered code. 

Users can configure the listing fields by clicking on the icon “Edit the listing fields” in the top right corner and then the “Instruction/Data” tab. 

Any element of the listing interface may be changed, relocated, disabled, or removed.

Loading an Executable

Supports drag and drop function, a file can be loaded by dropping it into the projected window of Ghidra, launching a dialog box where a format is selected, destination folder, and the name of the program.


Import results summary information appears once the file is imported. If the file is not analyzed, a list of Analyzers will appear in order for the user to enable various analyzers depending on the format of the file.


Modifying Display Elements

By using CodeBrowser for reviewing the target file, Ghidra offers customizable display elements (where it can help to enhance readability for the user) and various options where can be accessed by clicking edit on the top menu, and then selecting tool options.

Suggested environment changes

  • Listing Display:  Can increase the font size and enable bold formatting for easier reading.
  • Listing Fields – Bytes Field: Change “Maximum Lines to Display” to 1 to simplify spacing between lines of assembly code.
  • Listing Fields – Cursor Text Highlight: “Mouse Button to Activate”, change to left.
  • It will highlight all instances of the selected text when the left mouse button is clicked — similarly to other disassemblers.
  • Listing Fields – EOL Comments Field: Check “Show Semicolon at Start of Each Line” to better separate the assembly text from inserted comments
  • Listing Fields – Operands Field: Check “Add Space After Separator” for improved text readability

View Decompiler Output

Ghidra comes with a built-in decompiler output. It can display the high-level language of the assembly code.

By highlighting one of the operators in the high-level language decompiler window, it highlights the relevant assembly providing the user with a good idea of how and which groups of the assembler instructions match the high-level instructions.

Scripting

Ghidra includes support for writing Java and Python (via Jython) scripts to automate analysis. To view built-in scripts, go to Window – Script Manager. A user can add its own script by choosing the “create a new script” option in the script manager window top header menu. It supports scripting with Java and Python.


Investigate a String Reference

Ghidra gives a review of the strings embedded within a target file. To navigate, click on Window – Defined Strings. Clicking on the row associated with a string populates the Listing window with the data on the intended address.
 
To identify references to a string, the user should right-click in the blue area in the listing window – References – Show References to Address:


Shows how many references are to a particular string.


You might also be interested in, 

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Ghidra  made headlines lately when the NSA open-sourced the reverse-engineering framework. It supports Windows, macOS, and Linux...

Reverse Engineering: Explained!


Whether it is rebuilding a car engine or a lego set, we learn many things simply by taking them apart and putting them back together again. This process of taking a software system and analyzing it to trace it back to the original design and implementation information is known as reverse engineering. Security researchers use this technique to understand the malicious applications and disrupt them.

Reverse engineering can be applied to different aspects of the software as well as hardware development activities. In the context of software engineering, reverse engineering entails breaking something down to understand it. Also, build a copy to fix certain bugs in software as well as to enhance product features in both hardware and software. 


For instance, a programmer writes codes in languages like C, C++, Python, Java, etc. and because computers do not speak these languages, the code written in these programming languages is assembled in a machine-specific format so as to interpret them into a low-level language that the machine could understand.


In software security, reverse engineering is widely used to ensure that the system lacks any major security flaws or vulnerabilities. It helps to make a system robust, thereby protecting it from hackers and spyware. Some developers even go as far as hacking their system so as to identify vulnerabilities – a term referred to as ethical hacking.

The use of reverse engineering is also greatly exercised to identify malicious content in the source code of a software, such as viruses, or to expose security flaws (backdoors, viruses, misconfigurations) and address possible privacy issues.

Researchers can also use this technique to reverse engineer malware to understand how it works to nullify its properties, identify the potential owner, and use the knowledge gained to update their virus databases and prepare mitigation measures for future malware attacks.
Reverse Engineering helps to contribute to a program as well as detecting malicious code. If you do not know, the spreading of WannaCry malware was stopped because of studying it after reverse-engineering.

You might also be interested in, 

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Whether it is rebuilding a car engine or a lego set, we learn many things simply by taking them apart and putting them back toget...

Reverse Engineering: Top Tools!



Reverse engineering can be applied to different aspects of the software as well as hardware development activities. In the context of software engineering, reverse engineering entails breaking something down to understand it. Also, build a copy to fix certain bugs in software as well as to enhance product features in both hardware and software

GHIDRA

Ghidra is a software reverse engineering (SRE) framework developed by NSA's Research Directorate for NSA's cybersecurity mission. It helps analyze malicious code and malware like viruses and can give cybersecurity professionals a better understanding of potential vulnerabilities in their networks and systems.

CLICK HERE TO KNOW MORE


edb-debugger

edb-debugger is a Linux equivalent tool. It was inspired by the famous “Olly debugger” on the Windows platform. One of the main goals of this debugger is modularity. It comes pre-installed in Kali Linx. Some of its features are:
  • Intuitive GUI interface
  • The usual debugging operations (step-into/step-over/run/break)
  • Conditional breakpoints
  • Debugging core is implemented as a plugin so people can have drop-in replacements. Of course, if a given platform has several debugging APIs available, then you may have a plugin that implements any of them.
  • Basic instruction analysis
  • View/Dump memory regions
  • Effective address inspection
  • The data dump view is tabbed, allowing you to have several views of memory open at the same time and quickly switch between them.
  • Importing and generation of symbol maps
  • Plugins
  • To run the tool type, edb in the terminal.
  • Visit the official site for more information.

JavaSnoop

Normally, without access to the original source code, testing the security of a Java client is unpredictable at best and unrealistic at worst. JavaSnoop attempts to solve this problem by allowing you to attach to an existing process (like a debugger) and instantly begin tampering with method calls, run custom code, or just watch what’s happening on the system. 

  • It comes pre-installed in Kali Linux.
  • To run the tool type, javasnoop in the terminal.
  • Visit the official site for more information.

OllyDbg

OllyDbg is a 32-bit assembler level analyzing debugger for Microsoft Windows. Emphasis on binary code analysis makes it particularly useful in cases where the source is unavailable. Some key features are:

  • It has an easy-to-use and fairly intuitive GUI making it a relatively quick study.
  • Code analysis - traces registers, recognizes procedures, loops, API calls, switches, tables, constants, and strings
  • Directly loads and debugs DLLs
  • Object file scanning - locates routines from object files and libraries
  • Saves patches between sessions write them back to executable file, and updates fixups
  • No installation - no trash in registry or system directories
  • Although it is free, it is NOT open-source.
  • Visit the official site for more information.

JADX

JADX (Dex to Java decompiler) is a CLI/GUI tool to produce Java source code from Android Dex and APK files. It is open-source software. It comes pre-installed in Kali Linux. Some key features are:

  • decompile Dalvik bytecode to java classes from APK, dex, aar, and zip files
  • decode AndroidManifest.xml and other resources from resources.arsc
  • deobfuscator included
  • view decompiled code with highlighted syntax
  • jump to declaration
  • find usage
  • full-text search
  • To run type, jadx-gui in the terminal.
  • Visit the official GitHub repository.


You might also be interested in, 

We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Reverse engineering can be applied to different aspects of the software as well as hardware development activities. In the conte...

Scalpel - Data Recovery tool for Linux

Scalpel, the common file recovery tool which carves files with the help of the Boyer-Moore string checks to find the footers and headers in a disk image. Via these techniques, we can basically carve the file on the disk which were sculpted during the time it takes to read it. Scalpel can slice FATx, NTFS, ext2/3, or raw partitions files independently of the file system. It helps research and digital forensics.


Installation:

It’s an inbuilt utility of Kali Linux, so for installing from packages utility into the front line, you have to type, sudo apt install scalpel -y.
Before Starting with Scalpel, you have to check whether the USB Drive is actually showing on Kali Linux or not. For this we have to use the command: sudo fdisk -l. (In this scenario we are using SanDisk 8 GB USB Drive)

FDISK Results
  • Here it shows under the substantial path which is /dev/sdb1 with 7.5G of size means the USB Drive is inserted successfully and showing as well.
  • Before initializing, we have to make changes to the configuration file. The file is stored in /etc/scalpel and the name of the file is scalpel.conf. Just nano or gedit it to make changes. 
Editing the file
  • Here you can find various file types mentioned which we can recover. Just remove "#" from there. Let's try for JPG file type. So remove the hash from lines 87 and 88 and save the file.
Removing HASHes
If the configuration file gives an error upon saving. You have to open the file with sudo (for actual root permission), sudo gedit scalpel.conf.
  • Now for a better understanding of the tool, type, scalpel -h.
Help Options
  • The main command that we need to focus on here is the -o command, which is for output. We have to write the actual USB substantial (/dev/sdb1) command along with -o and the destination path where file would be saved.
File Recovery Process
  • Now you can check the destination folder for the files which was recovered. 
Recovered Files
Similarly, you can go to the configuration file (scalpel.conf) put the comment (#) back into JPG (on lines 87 & 88). Remove the comment from the front of the file type you want to recover like PDF, DOCX, etc. You can also recover multiple files at one time.
We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

Scalpel, the common file recovery tool which carves files with the help of the Boyer-Moore string checks to find the footers and h...