Skip to content

Commit

Permalink
Updated README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
@matthias-deu
matthias-deu committed Jul 22, 2023
1 parent 21a9350 commit 3b1a65e
Showing 1 changed file with 29 additions and 35 deletions.
64 changes: 29 additions & 35 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,64 +7,56 @@ Furthermore, UBIFT makes use of Carrier's idea of a layered approach for forensi
A notable feature of UBIFT is the ability to recover deleted data. Most commands can be used in conjunction with a **--deleted** parameter, causing UBIFT to look for deleted content. For instance, all deleted directory entries may be retrieved with the following command:

```python
(venv) PS C:\ubift> python .\ubift.py fls "E:\nand_flash.bin" -o 0 -n data --deleted
python ./ubift.py fls /path/to/your_flash_dump.bin -o 0 -n data --deleted
Type Inode Parent Name
file 0 105 secret.txt
dir 0 104 secret_folder
file 0 107 secret_image1.jpg
file 0 107 secret_image4.jpg
```

In order to recover all files (including deleted files), use the following command:

```python
python ./ubift.py ubift_recover /path/to/your_flash_dump.bin --output /path/to/output --deleted
```

# Usage

UBIFT uses a similar syntax as *The Sleuth Kit*. Every command has a prefix and a suffix. The prefix, such as **mtd** refers to the layer it is operating on. The suffix, such as **ls** depicts the desired operation to be performed.

UBIFT supports the following commands:

| Command | Description |
| ------------- |---------------|
| mtdls | Lists information about all available Partitions, including UBI instances. UBI instances have the description 'UBI'. |
| mtdcat | Outputs the binary data of an MTD partition, given by its index. Use 'mtdls' to see all indeces. |
| pebcat | Outputs a specific phyiscal erase block. |
| ubils | Lists all instances of UBI and their volumes. |
| lebls | Lists all mapped LEBs of a specific UBI volume. |
| lebcat | Outputs a specific mapped logical erase block of a specified UBI volume. |
| fsstat | Outputs information regarding the UBIFS file-system within a specific UBI volume. |
| fls | Outputs information regarding file names in an UBIFS instance within a specific UBI volume. |
| istat | Displays information about a specific inode in an UBIFS instance. |
| icat | Outputs the data of an inode. |
| ils | Lists all inodes of a given UBIFS instance. |
| ffind | Outputs directory entries associated with a given inode number. |
| ubift_recover | Extracts all files found in UBIFS instances. Creates one directory for each UBI volume with UBIFS. |
| ubift_info | Outputs information regarding recoverability of deleted inodes. This parameter takes priority over all other parameters. |
| jls | Lists all nodes within the journal. |
| Command | Description |
|---------------|--------------------------------------------------------------------------------------------------------------------------|
| mtdls | Lists information about all available Partitions, including UBI instances. UBI instances have the description 'UBI'. |
| mtdcat | Outputs the binary data of an MTD partition, given by its index. Use 'mtdls' to see all indeces. |
| pebcat | Outputs a specific phyiscal erase block. |
| ubils | Lists all instances of UBI and their volumes. |
| ubicat | Outputs contents of a specific UBI volume to stdout. |
| lebls | Lists all mapped LEBs of a specific UBI volume. |
| lebcat | Outputs a specific mapped logical erase block of a specified UBI volume. |
| fsstat | Outputs information regarding the UBIFS file-system within a specific UBI volume. |
| fls | Outputs information regarding file names in an UBIFS instance within a specific UBI volume. |
| istat | Displays information about a specific inode in an UBIFS instance. |
| icat | Outputs the data of an inode. |
| ils | Lists all inodes of a given UBIFS instance. |
| ffind | Outputs directory entries associated with a given inode number. |
| ubift_recover | Extracts all files found in UBIFS instances. Creates one directory for each UBI volume with UBIFS. |
| ubift_info | Outputs information regarding recoverability of deleted inodes. This parameter takes priority over all other parameters. |
| jls | Lists all nodes within the journal. |

For a detailed description of every command, refer to the **--help** of the tool.

In order to recover all files (including deleted files), use the following command:

```python
python .\ubift.py ubift_recover D:\your_flash_dump.bin --output D:\ --deleted
```

# Branches

### master

Contains the original version described in the master's thesis.
# Branch *original*

### develop

Contains a highly improved version that has slightly different syntax and is more lenient towards possible errors. Therefore this version might be able to parse flash images that the original may not be able to.

A notable difference is the notation for the **offset** and **name of an UBI volume**. A valid **ubils** command in the develop version is as follows:
Contains the original version described in the master's thesis. The original version contains some differences that were changed in later versions. For instance, instead of specifying offsets and ubi volumes as follows:

```python
python .\ubift.py fls 'D:\flash_dump.bin' -o 123 -n data
```

As opposed to the original one:
The parameters were positional arguments, resulting in a loss of flexibility.

```python
python .\ubift.py fls 'D:\flash_dump.bin' 123 data
Expand Down Expand Up @@ -94,6 +86,8 @@ pathvalidate

[The Sleuth Kit](https://github.com/sleuthkit/sleuthkit)

[Autopsy](https://www.autopsy.com/)

# Author

Matthias Deutschmann (matthias_de@gmx.net)
Expand Down

0 comments on commit 3b1a65e

Please sign in to comment.