dears, I’ve been thinking about deep layer forensics searching into files, process, memory, and network packets. sha and md5 tags help with integrity, and locating specific codes is relatively simple in terms of comparison. I would like to know if there is something specific to find deleted patterns using shred.
maybe I can’t recover a file, but I would like to identify in which part of the storage it was deleted and allocated.
perhaps the identification of storage patterns can provide information on what type of volume and quantity was erased.
I think about s.m.a.r.t smartctl , but don’t find bad blocks , find shred blocks …
I suspect this would mostly boil down to inspecting a full disk image and looking for blocks with entropy consistent with that used by the shredding tool, which could indicate shredded files, but could also just be high entropy content like compressed files.
If you’re looking to do this, I guess I’d start by using
binwalk’s entropy analysis features.
@brian man , I really like your answers .
binwalk uses libmagic, “magic numbers” is the term used to designate the constants of a type of file, thus defining the signatures of these files and thus creating a standard for the identification of these files.
This signature is located at the beginning of the file’s information block.
every file will start with this data in hexadecinal patterns , maybe works with found the same final 0 patterns .
with data something deeper than that can be created.
binwalk has an entropy analysis feature that can be used to fine the “edges” of sections of varying entropy. Using this, one might be able to find contiguous regions of shredded data from a disc image. (Note I have no experience doing this, I’m just aware that it’s a feature and could possibly be used for this scenario).
Failing that, it might also be possible to just reuse the entropy analysis bits of binwalk in your own tool binwalk/entropy.py at master · ReFirmLabs/binwalk · GitHub