Difference between pages "Cell phones" and "File Carving"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Hardware)
 
m (Created taxonomy section)
 
Line 1: Line 1:
'''Cell phones''' or '''mobile phones''' are an important target for [[forensic investigator]]s.
+
'''Carving''' is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media. Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.
  
== Technologies ==
 
 
* [[CDMA]]
 
* [[TDMA]]
 
* [[GSM]]
 
* [[iDEN]]
 
* [[EDGE]]
 
* [[GPRS]]
 
  
== Hardware ==
+
=File Carving=
  
* [[RIM BlackBerry]]
+
Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries. [[Semantic Carving]] performs carving based on an analysis of the contents of the proposed files.
* [[T-Mobile Sidekick  ]]
+
* [[SIM Cards]]
+
  
== Operating Systems ==
+
File carving should be done on a [[disk image]], rather than on the original disk.
  
* [[Microsoft PocketPC]]
+
File carving tools are listed on the [[Tools:Data_Recovery]] wiki page.
* [[Microsoft Windows Mobile]]
+
* [[Palm]]
+
* [[RIM BlackBerry]]
+
* [[Symbian]]
+
* [[Linux]]
+
  
== Forensics ==
+
Many carving programs have an option to only look at or near sector boundaries where headers are found. However, searching the entire input can find files that have been embedded into other files, such as [[JPEG]]s being embedded into [[Microsoft]] [[DOC|Word documents]]. This may be considered an advantage or a disadvantage, depending on the circumstances.
  
'''Procedures'''
+
Today most file carving programs will only recover files that are contiguous on the media.
  
* [[Cell Phone Forensics]]
+
== FIle Carving Taxonomy==
* [[SIM Card Forensics]]
+
[[Simson Garfinkel]] and [[Joachim Metz]] have proposed the following file carving taxonomy:
* [[External Memory Card Forensics]]
+
  
== Tools ==
+
;Header/Maximum (file) size Carving
 +
:A method for carving files out of raw data using a distinct header (start of file marker) and a maximum (file) size. This approach works because many file formats (e.g. JPEG, MP3) do not care if additional junk is appended to the end of a valid file.
  
'''Hardware'''
+
== File Carving challenges and test images ==
* [[ Azimuth RadioProof™ Enclosures]]
+
* [[Radio Frequency (RF) Jammers]]
+
* [[Network Security Solutions Secure Tents]]
+
* [[Network Security Solutions Seizure Bags for Cell Phones/PDAs/Laptops]]
+
* [[Paraben StrongHold Bag]]
+
* [[Paraben StrongHold Tent]]
+
  
'''Software'''
+
[http://www.dfrws.org/2006/challenge/]
* [[BitPIM]]
+
File Carving Challenge - [[DFRWS]] 2006
* [[DataPilot Secure View]]
+
 
* [[.XRY]]
+
[http://dftt.sourceforge.net/test6/index.html]
* [[ForensicMobile]]
+
FAT Undelete Test #1 - Digital Forensics Tool Testing Image (dftt #6)
* [[ForensicSIM]]
+
 
* [[LogiCube CellDEK]]
+
[http://dftt.sourceforge.net/test7/index.html]
* [[MOBILedit!]]
+
NTFS Undelete (and leap year) Test #1 - Digital Forensics Tool Testing Image (dftt #7)
* [[Oxygen PM II]]
+
 
* [[Paraben Cell Seizure]]
+
[http://dftt.sourceforge.net/test11/index.html]
* [[Paraben SIM Seizure]]
+
Basic Data Carving Test - fat32 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #11)
* [[SIMCon]]
+
 
* [[TULP2G]]
+
[http://dftt.sourceforge.net/test12/index.html]
 +
Basic Data Carving Test - ext2 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #12)
 +
 
 +
==File Carving Bibliography==
 +
 
 +
Mikus, Nicholas A. "An analysis of disc carving techniques," Master's Thesis, Naval Postgraduate School. March 2005. http://handle.dtic.mil/100.2/ADA432468
 +
 
 +
== See also ==
 +
[[Tools:Data_Recovery#Carving | FIle Carving Tools]]
 +
 
 +
=Memory Carving=

Revision as of 14:04, 1 March 2007

Carving is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media. Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.


Contents

File Carving

Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries. Semantic Carving performs carving based on an analysis of the contents of the proposed files.

File carving should be done on a disk image, rather than on the original disk.

File carving tools are listed on the Tools:Data_Recovery wiki page.

Many carving programs have an option to only look at or near sector boundaries where headers are found. However, searching the entire input can find files that have been embedded into other files, such as JPEGs being embedded into Microsoft Word documents. This may be considered an advantage or a disadvantage, depending on the circumstances.

Today most file carving programs will only recover files that are contiguous on the media.

FIle Carving Taxonomy

Simson Garfinkel and Joachim Metz have proposed the following file carving taxonomy:

Header/Maximum (file) size Carving
A method for carving files out of raw data using a distinct header (start of file marker) and a maximum (file) size. This approach works because many file formats (e.g. JPEG, MP3) do not care if additional junk is appended to the end of a valid file.

File Carving challenges and test images

[1] File Carving Challenge - DFRWS 2006

[2] FAT Undelete Test #1 - Digital Forensics Tool Testing Image (dftt #6)

[3] NTFS Undelete (and leap year) Test #1 - Digital Forensics Tool Testing Image (dftt #7)

[4] Basic Data Carving Test - fat32 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #11)

[5] Basic Data Carving Test - ext2 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #12)

File Carving Bibliography

Mikus, Nicholas A. "An analysis of disc carving techniques," Master's Thesis, Naval Postgraduate School. March 2005. http://handle.dtic.mil/100.2/ADA432468

See also

FIle Carving Tools

Memory Carving