Find files in unallocated space between partitions of an example image

Question

I got an exercise in university to find a hidden file in an example image. My professor said it is located in the second unallocated space between the partitions in this example image. We should use tools like The Sleuth Kit (TSK) to find a jpg file.

With mmls, I checked the structure of the image and I'm able to extract the partitions, but not to find the hidden file.

I tried to extract the unallocated space like a normal partition with $ dd if=workindcopy-usb.dd of=test.dd bs=512 skip=104448 count=145407

and inspect the resulting "image" with fsstats, fls and Autopsy. In my logic there is no chance to get a file from unallocated space without a file system the (deleted) file was registered.

Do you know a way to find the file?

Answer 1

If the image is not stored in a file system (i.e. it was randomly placed in unallocated space), you'll need to use a carving tool (PhotoRec, scalpel, etc.) on the test.dd image you created.

Autopsy will carve unallocated space (using the PhotoRec module), so you can get it that way too.

Answer 2

Thank you for the fast response!

To recover the hidden file you can use Scalpel from The Sleuth Kit

$ scalpel workingcopy-usb.dd -o output

-o output is a parameter to specify in which folder the recovered files should put in.

Before it is working, you need to specify what kind of files you want to recover. The config file is here located: `/etc/scalpel/scalpel.conf'