Write a computer forensic application program in Java/Python/C++ for Recovering Deleted Files and Deleted Partitions.

byAdmin
0


Recovery.py



#!/usr/bin/python
# -*- coding: utf-8 -*-

import os
import optparse
from _winreg import *


def sid2user(sid):
    try:
        key = OpenKey(HKEY_LOCAL_MACHINE,
       "SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList"
       + '\\' + sid)
        (value, type) = QueryValueEx(key, 'ProfileImagePath')
        user = value.split('\\')[-1]
        return user
    except:
        return sid


def returnDir():
    dirs=['C:\\Recycler\\','C:\\Recycled\\','C:\\$Recycle.Bin\\']
    for recycleDir in dirs:
        if os.path.isdir(recycleDir):
            return recycleDir
    return None


def findRecycled(recycleDir):
    dirList = os.listdir(recycleDir)
    for sid in dirList:
        files = os.listdir(recycleDir + sid)
        user = sid2user(sid)
        print '\n[*] Listing Files For User: ' + str(user)
        for file in files:
            print '[+] Found File: ' + str(file)


def main():
    recycledDir = returnDir()
    findRecycled(recycledDir)


if __name__ == '__main__':
    main()
 
 
 
 
 
 
 
 
 
 
 ***********Output***********************  
 [*] Listing Files For User: Admin  
 [+] Found File: desktop.ini  
 [+] Found File: INFO2  
 [*] Listing Files For User: Student  
 [+] Found File: desktop.ini  
 [+] Found File: INFO2  
 root@ZenoN:/home/backtrak/coding/justPl/recoverData# ls  
 recovery.cpp  
 root@ZenoN:/home/backtrak/coding/justPl/recoverData# g++ recovery.cpp  
 root@ZenoN:/home/backtrak/coding/justPl/recoverData# ./a.out  
 ************* FILE RECOVERY PROGRAM ****************  
 SOFTWARE WORKS ONLY IF WORKING AS ROOT.  
 IF NOT STOP THE SOFTWARE & RUN AGAIN AFTER ROOT LOGIN  
 DO YOU WISH TO CONTINUE... (y/n) : y  
 ************* LISTING ALL MOUNTED DEVICES ***********  
 NAME  MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT  
 sda   8:0  0 596.2G 0 disk   
 ├─sda1  8:1  0 592.2G 0 part /  
 ├─sda2  8:2  0   1K 0 part   
 └─sda5  8:5  0   4G 0 part [SWAP]  
 sdb   8:16  1  3.7G 0 disk   
 └─sdb4  8:20  1  3.7G 0 part /media/backtrak/SAM  
 sr0   11:0  1 1024M 0 rom   
 Find your device/partition to be recovered   
 Enter your mount point (eg sda* or sdb* where * represents some number) : sdb4  
 Enter the device/partition name from the table in MOUNT COLUMN the last entry (eg /media/username/devname):SAM  
 umount /dev/sdb4  
 This might take around 5-10 min .  
 Please be patient  
 7821249+0 records in  
 7821249+0 records out  
 4004479488 bytes (4.0 GB) copied, 228.641 s, 17.5 MB/s  
 r/r 3:     SAM     (Volume Label Entry)  
 r/r 5:     client.py  
 r/r * 7:     server.py  
 v/v 124877843:     $MBR  
 v/v 124877844:     $FAT1  
 v/v 124877845:     $FAT2  
 d/d 124877846:     $OrphanFiles  
 Check Your deleted file name & enter the int number after * (eg * 8) : 7  
 Check Your deleted file name & enter the file extension without '.' (eg .txt or .jpg or .pdf) : py  
 ***** FILE RECOVERED ******  
 check the file in the directory where software present  
 root@ZenoN:/home/backtrak/coding/justPl/recoverData#
Tags:

Post a Comment

Previous Post Next Post