La Computer Forensics made in Italy....
Condividere la conoscenza e distribuire gli eventi su tutto il territorio nazionale
Condividere la conoscenza e distribuire gli eventi su tutto il territorio nazionale
FUNDL - File Undeleter
FUNDL - File Undeleter - Trattasi di un file bash shell per Linux, (richiede l'uso dello Sleuthkit), che serve a recuperare tutti i files cancellati da un disco o da una sua bitstream image.
Per lanciarlo in Linux: ./fundl.sh or sudo sh fundl.sh
Versione per WINDOWS 32: http://sfdumper.sourceforge.net/fundl.htm
Per maggiori informazioni: http://www.nannibassetti.com/dblog/articolo.asp?articolo=44
Ecco lo script come appare:
# /bin/bash/
# FUNDL 2.0- File Undeleter
# Undelete tool by Nanni Bassetti - digitfor@gmail.com - http://www.nannibassetti.com - http://www.cfitaly.net
# special thanks to Denis Frati http://www.denisfrati.it
echo "FUNDL 2.0 - File Undeleter - by Nanni Bassetti "
echo "http://sfdumper.sourceforge.net/fundl.htm"
echo "Insert the image file or the device: "
read imm
echo "Insert the output directory:"
read outputdir
mkdir $outputdir
echo "Insert the file extension or * for all:"
read c
if [ "$c" = "" ]
then
c="*"
fi
#########################
if ! (mmls $imm > /dev/null ) 2>/dev/null
then
offs=0
echo "If mmls can't determine the partition type"
echo "I try the starting sector 0"
else
mmls $imm
echo "Insert the partition starting sector (eg. 63):"
read offs
fi
echo "Insert the file system type:"
fls -f list
read fs
fls -d -r -p -f $fs -o $offs $imm >$outputdir/filelist.txt
htmhead="<html><head><title>File Names and Paths</title></head><body><center><a href='http://sfdumper.sourceforge.net/fundl.htm'>FUNDL 2.0</a> Report</center><br>File Names and Paths found:<br><br>"
htmend="</body></html>"
echo $htmhead > $outputdir/filenames.htm
for i in $(grep "*" $outputdir/filelist.txt|sed 's/[[:space:]]//g'|sed 's/r\/r//')
# inode:nomedire/filename
do
inode=$(echo $i | awk -F ":" '{print $1}'|sed 's/*//' | sed 's/-\/r//')
name="$(echo $i | awk -F ":" '{print $2}')"
if [ "$c" != "*" ]
then
ext=${name##*.}
if [ "$ext" = "$c" ]
then
icat -f $fs -o $offs -r $imm $inode > $outputdir/$inode"_"${name##*/} 2>/dev/null
fn=$inode"_"${name##*/}
echo "<a href='$fn'>$name</a><br>" >> $outputdir/filenames.htm
fi
else
icat -f $fs -o $offs -r $imm $inode > $outputdir/$inode"_"${name##*/} 2>/dev/null
fn=$inode"_"${name##*/}
echo "<a href='$fn'>$name</a><br>" >> $outputdir/filenames.htm
fi
done
echo $htmend >> $outputdir/filenames.htm
cd $outputdir
ls -ag
echo "File names are composed by i-node_filename but in the filenames.htm there are their original paths and names."
exit