martes, 13 de abril de 2010

Recovering files from a pendrive with scalpel

I have no idea how it happened but I had to give today a housework in the university and it wasn't in the pendrive. At the moment I have recovered 1 of 2 files with scalpel (I just love the name of foresnic tools :D).

From the website:

Scalpel is a fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw partitions. It is useful for both digital forensics investigation and file recovery. Scalpel resulted from a complete rewrite of foremost 0.69, a popular open source file carver, to enhance performance and decrease memory usage.


Steps:
Create an iso image from your pendrive:
sudo dd if=/dev/sdc of=pendrive.iso
Have a look to the example configuration file (required) or copy it to $PWD:
cp /etc/scalpel/scalpel.conf .
As I had to recover a C file I added to the end of the config file this line:
echo "c     y       11000     /**" >> scalpel.conf
Which means "find files with 'c' extension, but not 'C' (case sensitive) and read 11000 bytes from the header.
I played with a bit of advantage as I knew for sure the file started with comments as the professor gave us a skeleton file. The length field is not so important but I knew that I had not written 10K of code.

Run scalpel:
scalpel -c scalpel.conf -o recovered pendrive.iso

After that, in the recovered folder I had a log file named "audit.txt" and a folder named "c-0-0". Inside the folder there were a lot of ".c" files, all with length 11000 and that started with "/**" and manually I have found the one that I searched and removed the trailing 11000-true_bytes bytes.


Appart from this manual usage I did, it has preconfigured headers for a lot of filetypes like jpg, avi, doc, pdf, pgp, zip... so that you only need to uncomment the line in scalpel.conf of the files that you are searching.

My pendrive was formatted with FAT32 but it's filesystem-independent.

Kudos to Scalpel!

lunes, 12 de abril de 2010

rtl8187se, realtek and ndiswrapper

My new netbook uses the rtl8187se wireless driver and this is another post complaining about Realtek support to linux users.


It would be a nice piece of news that it works out-of-the-box if the driver wasn't so unstable in WPA protected networks. I suffer from drops in throughput every 5-10 minutes, sometimes even less, that make the connection unusable.

In this ubuntu bugreport there are also users that claims that they have the same issue (2 years ago).

Unfortunately, I lost all my hopes with Realtek in things related to fixing drivers. My experience (in this post) is that I wrote them 5 months ago about the sound driver issue in my HP Pavilion Tx2000 and they haven't even replied a "Thanks for the report. We will have a look at this issue". It's also worth to mention the shoddy piece of work that they did with the rt3070 driver (see this other post).

At the moment, I'm using ndiswrapper with the winXP drivers. It works like a charm and I recommend it to everyone having this issue.
ftp://WebUser:Ds8MtJ3@202.134.71.22/cn/wlan/8187SE_WindowsDriver_5_6.9109.1029.2009.zip

I also discovered that there's a pyGTK GUI for ndiswrapper very suitable for your granma who wants to connect to her WPA wireless at home, but she can't do it out-of-the-box because Realtek didn't care about providing a decent driver. It's called ndisgtk and looks like this:


domingo, 11 de abril de 2010

Email to Realtek about issues in their sound driver

This is the email I sent to Realtek related email addresses on 3/December/2009.
I sent it to: kailang@realtek.com.tw, shou@realtek.com.tw, and from their Contact section in their webpage.
I hope that posting it here in public, they feel a bit more ashamed.
I haven't received a minimal answer 5 months later. I wonder how important are users for them once that they have bought their product. Do they care a minimum?

sábado, 10 de abril de 2010

Fill in the blank

What's the missing number in this sequence?
12, 13, 14, 15, 16, 17, 18, 20, 22, 24, 30, 33, 102, ? , 10010