Let's continue the analysis of the CF card. I installed the Sleuth Kit
to gather more information from the image. The first step was to look
for things like passwords and/or login data. dls (an utility from the
Sleuth Kit) is just the right tool for this job:
dls -o 32 -f fat CF.img > CF.dls.img strings -t d CF.dls.img > CF.str
Now I could grep the unallocated space of the image. Unfortunately, this
did not yield any interesting results except the things I already knew.
Using sigfind it is possible to manually look for
file signatures (as well as file system signatures), but I recommend a file carver for that job. Of course I
tried it nevertheless and was actually able to recover some .JPEGs, but
- alas! - nothing new was to be discovered.
This is when I decided to use Foremost, another file carving utility:
foremost -t all CF.img -o output/
Using Foremost didn't provide me with any false positives. It found even more files than Scalpel but this is due to the fact that I did not add anything in Scalpel's configuration file. The results:
I found some Excel tables in the unallocated disk space. They seem to be PocketExcel files and contain the grades of several persons. Apparently one of the CF card's users was a school-teacher. However, since I am not able to open these files, I can't be sure. Actually I wanted to try out Autopsy and Lazarus. But Autopsy is just a front-end for the Sleuth Kit, so I didn't need it. Lazarus comes with the Coroner's Toolkit (TCT), but Foremost had the functionality I needed, too. However, they might be worth a look.
To sum it all up: It was very creepy. If you are one of the humans on this planet that doesn't encrypt sensitive information...well...you should do it from now on.