Carver 2.0 Planning Page

From ForensicsWiki
Revision as of 14:05, 27 October 2008 by RB (Talk | contribs)

Jump to: navigation, search

This page is for planning Carver 2.0.

Requirements

  • AFF and EWF file images supported from scratch.
  • File system aware layer.
    • By default, files are not carved.
  • Plug-in architecture for identification/validation.
    • Can we exercise libmagic or at least the patterns they identify?
  • Ship with validators for:
    • JPEG
    • PNG
    • GIF
    • MSOLE
    • ZIP
    • TAR (gz/bz2)
  • Simple fragment recovery carving using gap carving.
  • Recovering of individual ZIP sections and JPEG icons that are not sector aligned.
  • Autonomous operation.
  • Tested on 500GB-sized images. Should be able to carve a 500GB image in roughly 50% longer than it takes to read the image.
    • Perhaps allocate a percentage budget per-validator (i.e. each validator adds N% to the carving time)
  • Parallelizable.
  • Configuration:
    • Can read Scalpel and Foremost config files.
    • Disengage internal configuration structure from configuration files, create parsers that present the expected structure
    • Either extend Scalpel/Foremost syntaxes for extended features or create a tertiary syntax, at which point a converter would likely be useful.
  • Can output audit.txt file.
  • Easy integration into ascription software.

Ideas

  • Use as much TSK if possible. Don't carry your own FS implementation there way photorec does.