Forensic disk recovery

If someone gave you a Sandisk Cruzer 8GB micro USB stick*, which had their entire life of work stored on it. This stick couldn’t be directory listed under Windows 7 only Windows XP.. nothing could be copied off nor copied on to it.

What would you do ?

Well here’s what I did to recover the files.

first of all I tried all the normal windows based solutions:

Chkdsk
Recovery software GetDataBack – (Which has served me well in the past)

No joy! Nothing! Nada! – USB just disconnects when you try anything.

So I turn to Unix for the answer, the USB stick could be mounted and read, it just crashed out when trying to copy the files/directories from the device, saving about 10% of the data.. I’m assuming its a hardware failure of the device.

This is when I turn to open source forensic software – Ubuntu Rescue Remix

Here’s how I used it :

I created a bootable image of the Ubuntu Rescue Disk ‘to a different USB stick’, following the instructions at Pendrivelinux.com

Booted that, then used the following commands :

Create ‘hdd1′ directory in the ‘mnt’ folder
sudo mkdir /mnt/hdd1

Mount your machines hard drive to the folder ‘/mnt/hhd1′
sudo mount /dev/sda1 /mnt/hdd1

Check the ‘mount’ command to see what the USB device your trying to recover is called, in my case its mounted as ‘/dev/sdc1′
sudo mount

Use that information to constuct the following command; ddrescue-retry to read upto 3 times-USB device-name of image to write-name of log to write
sudo ddrescue -r 3 /dev/sdc1 /mnt/hdd1/recovery-image /mnt/hdd1/recovery-log

Create a new directory on your hard drive to store all the recovered files.
sudo mkdir /mnt/hdd1/recovery

Run ‘foremost’ which is some forensic software created by the US Air force; foremost-image name-output directory
sudo foremost -i /mnt/hdd1/recovery-image -o /mnt/hdd1/recovery

This will extract files ‘Without filenames’ to the output directory, slight issue, but lucky to get anything back at all.

* Other USB sticks are available..

Sendmail did not send mail instantly but queued it

Sendmail did not send mail instantly but just queued it.

Testing sendmail by

#mail test@host.com

System didn’t show any error but just queued the mail

#mailq

Showing that the mail message has been put into the queue.

Queue message  “host map: lookup (domain): deferred”

#/sendmail -q

Can force server sent mail successfully. It means the DNS setting should be correct.

Check sendmail configuration files

#/etc/mail/sendmail.cf

DeliveryMode is not  “deferred”

O DeliveryMode=background

#/etc/hosts

#/etc/resolv.cf

#/etc/nsswitch.conf

Both files have the same setting as another server which can send mail instantly.

Try to stop and restart sendmail

#/etc/init.d/sendmail stop

#/etc/init.d/sendmail start

Problem solved.

CHKCONFIG

A unix command line tool for maintaining the /etc/rc[0-6].d directory hierarchy by relieving system administrators of the task of directly manipulating the numerous symbolic links in those directories.

Usage:
chkconfig --add NAME
Add new symbolic links in /etc/rc[0-6].d
chkconfig --del NAME
Removed from chkconfig management, and any symbolic links in /etc/rc[0-6].d which pertain to it are removed.
chkconfig [--level LEVELS] NAME
Specifies the run levels an operation should pertain to. levels between 0 – 7. For example, –level 56 specifies level 5 and 6.

cron time-based job scheduler

Task : How to get a Perl cgi-bin script to be ran daily, without the intervention of an administrator or webpage ever being visited.

Solution: Using the systems Cron command
I knew of cron’s existance but didnt realise how usful it was. Below is how I managed to get cron to do the job for me.

Unix commands used :

crontab -e (edit crontab using vi)
crontab -l (list your current crontab enteries)

The lines I added to my crontab :

# Location of GET
GET='/opt/lampp/bin/GET'

# Location of the script file to be ran
VLEPROCESS='http://abc.123.com/cgi-bin/happiness/ProcessFiles.pl'

# The crontab command, 59 = minutes passed the hour, 6 = Am, * = no value set, $GET value of where the GET command is, ${VLEPROCESS} wherearounds of the script to be ran.
59 6 * * * $GET ${VLEPROCESS}

So at 6:59 each morning, Monday to Sunday the script ‘ProcessFiles.pl’ gets ran.
Happy days, one less thing to remember each morning.

Further cron command option for dates and time :
.—————- minute (0 – 59)
| .————- hour (0 – 23)
| | .———- day of month (1 – 31)
| | | .——- month (1 – 12) OR jan,feb,mar,apr …
| | | | .—- day of week (0 – 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
| | | | |
* * * * * command to be executed