Difference between revisions of "Carver 2.0 Planning Page"
From Forensics Wiki
m (New page: This page is for planning Carver 2.0. =Requirements= * AFF and EWF file images supported from scratch. * File system aware layer. ** By default, files are not carved. * Plug-in architect...) |
(Adding a couple of validators, fleshing out configuration ideas, adding a couple of questions/comments) |
||
| Line 5: | Line 5: | ||
* File system aware layer. | * File system aware layer. | ||
** By default, files are not carved. | ** By default, files are not carved. | ||
| − | * Plug-in architecture for validation. | + | * Plug-in architecture for identification/validation. |
| + | ** Can we exercise libmagic or at least the patterns they identify? | ||
* Ship with validators for: | * Ship with validators for: | ||
** JPEG | ** JPEG | ||
| + | ** PNG | ||
| + | ** GIF | ||
** MSOLE | ** MSOLE | ||
** ZIP | ** ZIP | ||
| + | ** TAR (gz/bz2) | ||
* Simple fragment recovery carving using gap carving. | * Simple fragment recovery carving using gap carving. | ||
* Recovering of individual ZIP sections and JPEG icons that are not sector aligned. | * Recovering of individual ZIP sections and JPEG icons that are not sector aligned. | ||
* Autonomous operation. | * Autonomous operation. | ||
* Tested on 500GB-sized images. Should be able to carve a 500GB image in roughly 50% longer than it takes to read the image. | * Tested on 500GB-sized images. Should be able to carve a 500GB image in roughly 50% longer than it takes to read the image. | ||
| + | ** Perhaps allocate a percentage budget per-validator (i.e. each validator adds N% to the carving time) | ||
* Parallelizable. | * Parallelizable. | ||
| − | * Can read Scalpel and Foremost config files. | + | * Configuration: |
| + | ** Can read Scalpel and Foremost config files. | ||
| + | ** Disengage internal configuration structure from configuration files, create parsers that present the expected structure | ||
| + | ** Either extend Scalpel/Foremost syntaxes for extended features or create a tertiary syntax, at which point a converter would likely be useful. | ||
* Can output audit.txt file. | * Can output audit.txt file. | ||
* Easy integration into ascription software. | * Easy integration into ascription software. | ||
| − | |||
=Ideas= | =Ideas= | ||
* Use as much TSK if possible. Don't carry your own FS implementation there way photorec does. | * Use as much TSK if possible. Don't carry your own FS implementation there way photorec does. | ||
Revision as of 13:05, 27 October 2008
This page is for planning Carver 2.0.
Requirements
- AFF and EWF file images supported from scratch.
- File system aware layer.
- By default, files are not carved.
- Plug-in architecture for identification/validation.
- Can we exercise libmagic or at least the patterns they identify?
- Ship with validators for:
- JPEG
- PNG
- GIF
- MSOLE
- ZIP
- TAR (gz/bz2)
- Simple fragment recovery carving using gap carving.
- Recovering of individual ZIP sections and JPEG icons that are not sector aligned.
- Autonomous operation.
- Tested on 500GB-sized images. Should be able to carve a 500GB image in roughly 50% longer than it takes to read the image.
- Perhaps allocate a percentage budget per-validator (i.e. each validator adds N% to the carving time)
- Parallelizable.
- Configuration:
- Can read Scalpel and Foremost config files.
- Disengage internal configuration structure from configuration files, create parsers that present the expected structure
- Either extend Scalpel/Foremost syntaxes for extended features or create a tertiary syntax, at which point a converter would likely be useful.
- Can output audit.txt file.
- Easy integration into ascription software.
Ideas
- Use as much TSK if possible. Don't carry your own FS implementation there way photorec does.
