# Disk Forensics Disk Forensics includes where you are required to investigate the files which were deleted off the system. ## Mounted Devices * The devices that were mounted to the devices can be identified with the commands ```bash df -h mount ``` ## Quick Wins * Every device blocks connected to the **UNIX** systems store its contents in binary format and everything connected is CATable / GREPable * Once the mounted device is identified we can cat / grep the device block ```bash cat /dev/sdb sudo xxd /dev/sdb | grep -Ev '(0000 0000 0000 0000 0000 * | ffff ffff ffff ffff ffff *)' ``` ## Forensic Way * With the `dcfldd` ```bash dcfldd if=/dev/sdb of=/tmp/file.dd root@raspberrypi:/home/pi# dcfldd if=/dev/sdb of=/tmp/test 256 blocks (8Mb) written. 320+0 records in 320+0 records out root@raspberrypi:/home/pi# ls -lash /tmp/test 10M -rw-r--r-- 1 root root 10M Mar 13 10:34 /tmp/test ``` * With this file transferred to the attacker machine we can run utilities like `testdisk` or `photorec` to investigate this dd file --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dhaneshsivasamy07.gitbook.io/oscp-2022/misc/forensics/disk-forensics.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.