-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
0 parents
commit d52dd08
Showing
2 changed files
with
188 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,75 @@ | ||
| === SUMMARY === | ||
|
|
||
| Scalpel was/is a useful data carving tool both for purposes of digital forensics | ||
| and helping regular folks recover accidentally deleted data. While it supports a | ||
| lot of data types/formats it doesn't yet support any kinds of deleted private | ||
| key data. If you accidentally deleted a private key file maybe we can help. | ||
|
|
||
| === VERSION === | ||
|
|
||
| 1.0.0 | ||
|
|
||
| === USAGE === | ||
|
|
||
| The kind of data Scalpel can carve out is controlled/limited by whatever | ||
| configuration file is passed to it via the -c command line option. All that | ||
| scalpel_for_private_keys really does is provide a ready made configuration file | ||
| you can use out of the box instead of worrying about writing correct rules by | ||
| hand when you're already stressed out from having deleted your private key file | ||
| and have trouble thinking straight. Usage looks approximately like: | ||
|
|
||
| scalpel -c scalpel_for_private_keys.conf <path_to_raw_device_file_or_disk_image> | ||
|
|
||
| If the deleted key is large you may want to adjust the maximum carve out size in | ||
| the third column of uncommented config lines. | ||
|
|
||
| === IMPORTANT NOTE FOR THE MORE TECHNICAL USERS WHO CAN ACT ON IT === | ||
|
|
||
| If the deleted key is on a Solid State Drive and the drive supports the TRIM | ||
| command pray it hasn't run since the deletion. If continuous TRIM is enabled | ||
| you are likely screwed. If periodic TRIM is enabled disable it immediately | ||
| before it has a chance to run again. Keep TRIM disabled until after a rigorous, | ||
| systematic, and hopefully successful recovery attempt has been made. | ||
|
|
||
| === LICENSE === | ||
|
|
||
| This is a Freedom Respecting Technology based on the apparently radical belief | ||
| that Open Source and Open Knowledge should be for everyone and not just well off | ||
| people with reliable Internet connections. Learn more at: | ||
| https://makesourcenotcode.github.io/freedom_respecting_technology.html | ||
|
|
||
| It's (admittedly small) Open Knowledge Set consists of: | ||
| * the main program configuration/database file scalpel_for_private_keys.conf | ||
| * the documentation / Help Information Set consisting of this file | ||
|
|
||
| Both are released to the Public Domain. | ||
|
|
||
| === MOTIVATION === | ||
|
|
||
| This should have been written in 2018 when I experienced a catastrophe with a | ||
| deleted OpenPGP private key. This is one of the things I wish was available for | ||
| me at the time. Though not a part of this project's documentation that story is | ||
| Solidly Entertaining and can be found by interested parties at: | ||
| https://makesourcenotcode.github.io/LispNYCSlides.pdf | ||
|
|
||
| === LIMITATIONS AND DIRECTIONS FOR FUTURE WORK === | ||
|
|
||
| We support some private key types but not all the ones we would like to yet. Not | ||
| to mention there might be private key types we don't even know exist. | ||
|
|
||
| Perhaps the most pressing limitation is that while we support retrieval of ASCII | ||
| armored OpenPGP keys we don't yet support the binary format. | ||
|
|
||
| Patches and pull requests supporting new types of private keys or new formats | ||
| for partially supported key types will be gratefully received. | ||
|
|
||
| For quality control purposes we ask that all contributors have tested the rules | ||
| they are adding and have evidence that the key data of the type they are adding | ||
| support for can be recovered in at least some scenarios for deleted test keys. | ||
|
|
||
| Let's make this THE database to use to help people recover accidentally deleted | ||
| key data! | ||
|
|
||
| === CHANGELOG === | ||
|
|
||
| v1.0.0: initial implementation |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,113 @@ | ||
| # Before we get to the rules that facilitate carving out lost private keys we | ||
| # will drop a copy of comments explaining this configuration file format from | ||
| # the official scalpel repository for easy reference. | ||
|
|
||
| # === EXPLANATION START === | ||
|
|
||
| # Scalpel configuration file | ||
|
|
||
| # This configuration file controls the types and sizes of files that | ||
| # are carved by Scalpel. NOTE THAT THE FORMAT OF THIS FILE WAS | ||
| # EXTENDED in Scalpel 1.90-->! | ||
|
|
||
| # For each file type, the configuration file describes the file's | ||
| # extension, whether the header and footer are case sensitive, the | ||
| # min/maximum file size, and the header and footer for the file. The | ||
| # footer field is optional, but extension, case sensitivity, size, and | ||
| # header are required. Any line that begins with a '#' is considered | ||
| # a comment and ignored. Thus, to skip a file type just put a '#' at | ||
| # the beginning of the line containing the rule for the file type. | ||
|
|
||
| # If you want files carved without filename extensions, use "NONE" in | ||
| # the extension column. | ||
|
|
||
| # Beginning with Scalpel 1.90, HEADERS AND/OR FOOTERS MAY BE EITHER | ||
| # FIXED STRINGS OR REGULAR EXPRESSIONS. | ||
|
|
||
| # Headers and footers are decoded before use, unless they are regular | ||
| # expressions. To specify a value in hexadecimal use \x[0-f][0-f] and | ||
| # for octal use \[0-3][0-7][0-7]. Spaces can be represented by | ||
| # \s. Example: "\x4F\123\I\sCCI" decodes to "OSI CCI". | ||
|
|
||
| # To match any single character (aka a wildcard) in a non-regular | ||
| # expression header/footer, use a '?'. If you need to search for the | ||
| # '?' character, you will need to change the 'wildcard' line *and* | ||
| # every occurrence of the old wildcard character in the configuration | ||
| # file. | ||
|
|
||
| # Regular expressions in extended format can be specified for headers | ||
| # or footers by bracketing a header or footer with //, e.g., /GGG[^G]/ | ||
| # matches a string of three G characters, followed by a character | ||
| # other than G. To clarify, here is a complete rule for a file type | ||
| # that should be at most 100000 characters, must begin with three G's | ||
| # followed by a non-G character and terminate with at least one digit | ||
| # character (0-9) followed by five H characters: | ||
|
|
||
| # XXX y 100000 /GGG[^G]/ /[0-9]HHHHH/ | ||
|
|
||
| # Beginning with Scalpel 1.90, minimum carve sizes may be specified | ||
| # for each file type using this format for the size parameter: | ||
| # smallest:largest e.g., | ||
|
|
||
| # jpg y 5000:100000 \xff\xd8\xff\xe0\x00\x10 \xff\xd9 | ||
|
|
||
| # carves JPG format image files between 5000 and 100000 bytes in | ||
| # length, ignoring files smaller than 5000 bytes. If the minimum | ||
| # carve size is not specified, 0 is assumed. This maintains | ||
| # compatibility with Scalpel configuration files created prior to | ||
| # 1.90. | ||
|
|
||
| # The REVERSE keyword after a footer causes a search | ||
| # backwards starting from [size] bytes beyond the location of the header | ||
| # This is useful for files like PDFs that may contain multiple copies of | ||
| # the footer throughout the file. When using the REVERSE keyword you will | ||
| # extract bytes from the header to the LAST occurence of the footer (and | ||
| # including the footer in the carved file). | ||
|
|
||
| # The NEXT keyword after a footer results in file carves that | ||
| # include the header and all data BEFORE the first occurence of the | ||
| # footer (the footer is not included in the carved file). If no | ||
| # occurrence of the footer is discovered within maximum carve size bytes | ||
| # from the header, then a block of the disk image including the header | ||
| # and with length equal to the maximum carve size is carved. Use NEXT | ||
| # when there is no definitive footer for a file type, but you know which | ||
| # data should NOT be included in a carved file--e.g., the beginning of | ||
| # a subsequent file of the same type. | ||
|
|
||
| # FORWARD_NEXT is the default carve type and this keyword may be | ||
| # included after the footer, but is not required. For FORWARD_NEXT | ||
| # carves, a block of data including the header and the first footer | ||
| # (within the maximum carve size) are carved. If no footer appears | ||
| # after the header within the maximum carve size, then no carving is | ||
| # performed UNLESS the -b command line option is supplied. In this case, | ||
| # a block of max carve size bytes, including the header, is carved and a | ||
| # notation is made in the Scalpel log that the file was chopped. | ||
|
|
||
| # To redefine the wildcard character, change the setting below and all | ||
| # occurences in the scalpel.conf file. | ||
| # | ||
| #wildcard ? | ||
|
|
||
| # case size header footer | ||
| #extension sensitive | ||
| # | ||
| #--------------------------------------------------------------------- | ||
| # EXAMPLE WITH NO SUFFIX | ||
| #--------------------------------------------------------------------- | ||
| # | ||
| # Here is an example of how to use the no extension option. Any files | ||
| # beginning with the string "FOREMOST" are carved and no file extensions | ||
| # are used. No footer is defined and the max carve size is 1000 bytes. | ||
| # | ||
| # NONE y 1000 FOREMOST | ||
|
|
||
| # === EXPLANATION END === | ||
|
|
||
| # Handles ASCII armored OpenPGP private keys | ||
| asc y 65536 -----BEGIN\sPGP\sPRIVATE\sKEY\sBLOCK----- -----END\sPGP\sPRIVATE\sKEY\sBLOCK----- | ||
|
|
||
| # Handles private keys generated by OpenSSH | ||
| NONE y 65536 -----BEGIN\sOPENSSH\sPRIVATE\sKEY----- -----END\sOPENSSH\sPRIVATE\sKEY----- | ||
|
|
||
| # Handles private keys for Age | ||
| NONE y 74 AGE-SECRET-KEY- |