Help on Recovering deleted files in Mirai

i used grep and saw that there was a file in the usbstick…

but how am i gonna read that file…??

The clue that helped me was that I should remember everything is a file on linux. :wink:

@punish3r said:
i used grep and saw that there was a file in the usbstick…
but how am i gonna read that file…??

Think about what you can do with strings and grep

I tried everything i can get in my mind… still unable to read the file…

@punish3r said:
I tried everything i can get in my mind… still unable to read the file…

This one took me a while because i wasn’t familiar with linux set up. Take some time to research about commands on how to see partitions/disks and figure out how linux actually handles files. Like blkappy said, everything is a file on linux. Can PM if needed.

Actually you don’t have to recover them exactly, like with a forensic technique, you have to read them somehow. Also take in mind what @blkappy said.

I have been through this different ways but with the result, incorrect hash. I can grep and output to a file the contents of something but the hash inside is no good. I can use the larger kitty command to display the same contents of the drive but again, the hash is no good. Any other nudges would be great.

You will have to research how to recover deleted files … and take a close look

@Kr0n1kK1ll3r said:
I have been through this different ways but with the result, incorrect hash. I can grep and output to a file the contents of something but the hash inside is no good. I can use the larger kitty command to display the same contents of the drive but again, the hash is no good. Any other nudges would be great.

you’re missing a character, make sure you copied the whole string you suspect is the 32 character hash

just a simple basic linux command for viewing file. “everything is a file in linux”

@gpd said:

@Kr0n1kK1ll3r said:
I have been through this different ways but with the result, incorrect hash. I can grep and output to a file the contents of something but the hash inside is no good. I can use the larger kitty command to display the same contents of the drive but again, the hash is no good. Any other nudges would be great.

you’re missing a character, make sure you copied the whole string you suspect is the 32 character hash

You’re right. What I am copying is only 31 chars. Just need to find the 32nd char lol. It prints out all the files on that drive it just doesn’t look too pretty.

As soon as I copied a portion of the output into another window the first char appeared. All good now.

i have a 32 character hash but when i try to crack it say unknown hash…