Recover deleted files using SleuthKit

It happens to us all sooner or later.  You find you have deleted a file off your system, and you realize you are without a backup of the file.  There are many methods, such as SleuthKit out there that can recover a file that has been erased from the recycle bin.  In reality the file is still there, the pointers that make the file visible have just been removed and the sectors on the hard drive have been marked as available.  In time these sectors will be overwritten with new data, at which time the file can not be restored.

Our lab scenario

So before doing anything further you want to attempt to recover your file before any data can be written to your disk.  A safe way is to make an image of the drive and then work off this.  This method is based off a USB stick and how to recover a deleted file off said media.  The usb stick is being used on a Mac Pro laptop, running the latest version of Mac OS.  Sleuth Kit is installed on my RHEL Server.  To install sleuthkit just run yum install sleuthkit from the command line.

Creating the disk image

The first step in our scenario is to create the disk image.

  • Open Terminal on the MacBook Pro
  • Run the command diskutil list – this will show all devices on the system, you are looking for the USB stick.

Diskutil list command

Our device is /dev/disk2.  We need to unmount it before creating the image.  To do so, run the command diskutil unmountDisk /dev/disk2

diskutil unmountDisk /dev/disk2

Creating the Disk Image

If all goes to plan, you will see a message stating the disk was unmounted successfully.  You then can make a raw image of the entire USB media with the command sudo dd if=/dev/disk2 of=usbimage.img.dd bs=512.  For those unfamiliar with the dd, if stands for input file, which is the device you just unmounted.  This may be different for you, so use the device name that you found in the previous steps for your system.  of stands for output file.  This is whatever name you want to call it.  Just name it something that lets you know what the image is.  bs stands for block size, which I used 512 as a standard size for this task.

sudo dd if=/dev/disk2 of=usbimage.img.dd bs=512

It will ask for your password, and you must have sudo rights for it to work.  If you are logged in as root you do not need the sudo portion of the command.  It will take some time to make the image, and will give you no indication that anything is happening.  Just be patient.  If the USB stick is 4 GB in size it needs to make a 4 GB file, therefore make sure you have enough space to accommodate the full image, otherwise it will fail once you run out of disk space.

Successful creation of the image.

Starting on the Forensic activities

When the image is finished you will see a response saying how many records in and out, and how many bytes were transferred as well as the transfer speed.  I then needed to transfer my image to my RHEL server where I was going to perform my forensic activities on the image.  This is done with the scp (secure copy) command.  Using the command scp usbimage.img.dd root@ copies the image file you just created to your destination system.  root@ is the username I wish to use to connect to the remote system followed by its IP address.  The following :/ tells it where on the remote system I wish to place the file.  For simplicity sake I was just dropping it in the root volume of the server.

Using SCP to copy image to remote server.

Moving the image

Once I had finished moving the image to the server I then moved the file to a new location off the root called /images.  I then started to look at what I had, using the img_stat command against the image I was able to see that it is indeed a raw image, and the size of the image file.

img_stat usbimage.img.dd

Seeing available partitions

Then I used the mmls command on the image to see what file systems were in the image.  There are three in total, with the 02 being the partition I am interested in.  It shows the starting sector of 8064, and that it is a Win95 FAT32 partition table.

looking at the file systems using mmls in SleuthKit

We can now start to dig further into the partition to see what we have to work with.  The command fsstat -o 8064 usbimage.img.dd, the 8064 is telling it where the starting sector is.  This gives you the statistic of the partition that can be helpful in further analysis.

Looking at the statistics of the image with the fsstat command.

Viewing the file system

The fls -o 8064 usbimage.img.dd lets you view the file structure of the portion and see what files are there.  It will also show you files that have been deleted as well.  d/d lets you know it is a directory, r/r is a file, and the numbers after them are their inodes.

Looking into the file system with the fls command.

Finding the file you wish to recover

The file I wanted was an image I deleted before the lab started.  Looking at the statistics of the image file using the command istat usbimage.img.dd 11, with 11 being the files inode.

Looking at the statistics of the file we want to restore.

Recovery of the deleted file using SleuthKit

We can now attempt to recover the deleted file.  Using the command icat -o 8064 -r usbimage.img.dd 11 > image.jpg.  8064 again is the starting sector, the -r is the recovery flag, then you have the image name in question, followed by the inode of the file, the > is a redirection in linux  that redirects the output the the file name of your choice, which in my case was just image.jpg.

Upon completion you can verify the file is in place by issuing the ls command.

Recovering the file in question with the -r option.

Finally I want my file back on my MacBook Pro, so issuing the scp command from the Mac to copy the image.jpg file from the server, back to my Desktop.

Using SCP to copy the restored image back to the workstation.

There are many programs out there that would do this process quicker, and maybe even easier, however I thought it was fun to try it out this way, and it doesn’t cost anything to use this like other programs would.  SleuthKit also has many other features that can be used for Computer Forensics that you may find helpful one day.


This was just a fun test lab to try out a feature using SleuthKit, feel free to try it out yourself using this instructions as a guide.  I would play around it first in a lab environment before trying this out with anything important.  However if you always work off a disk image then your original data will always be left intact and even if a mistake were to be made you could just start over again.  I hope you enjoyed this article, if you have any comments or suggestions please feel free to share them with me in the comments section.  For more information visit the forensic tool site.


Ivan Windon – RHCSA


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.