Difference between pages "File Carving" and "File Format Identification"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (FIle Carving Taxonomy)
 
m (Bibliography)
 
Line 1: Line 1:
'''Carving''' is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media. Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.
+
File Format Identification is the process of figuring out the format of a sequence of bytes. Operating systems typically do this by file extension or by embedded MIME information. Forensic applications need to identify file types by content.
  
 +
=Tools=
 +
==libmagic==
 +
* Written in C.
 +
* Rules in /usr/share/file/magic and compiled at runtime.
 +
* Powers the Unix “file” command, but you can also call the library directly from a C program.
 +
* http://sourceforge.net/projects/libmagic
  
=File Carving=
+
==DROID==
 +
* Writen in Java
 +
* Developed by National Archives of the United Kingdom.
 +
* http://droid.sourceforge.net
  
Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries. [[Semantic Carving]] performs carving based on an analysis of the contents of the proposed files.  
+
==TrID==
 +
* XML config file
 +
* Closed source; free for non-commercial use
 +
* http://mark0.net/soft-trid-e.html
  
File carving should be done on a [[disk image]], rather than on the original disk.
+
==Stellent/Oracle Outside-In==
 +
* Proprietary but free demo.
 +
* http://www.oracle.com/technology/products/content-management/oit/oit_all.html
  
File carving tools are listed on the [[Tools:Data_Recovery]] wiki page.
+
[[Category:Tools]]
  
Many carving programs have an option to only look at or near sector boundaries where headers are found. However, searching the entire input can find files that have been embedded into other files, such as [[JPEG]]s being embedded into [[Microsoft]] [[DOC|Word documents]]. This may be considered an advantage or a disadvantage, depending on the circumstances.
+
=Bibliography=
 +
Current research papers on the file format identification problem. Most of these papers concern themselves with identifying file format of a few file sectors, rather than an entire file.
  
Today most file carving programs will only recover files that are contiguous on the media.  
+
; [http://www.dfrws.org/2008/proceedings/p14-calhoun.pdf Predicting the Types of File Fragments], William Calhoun, Drue Coles, DFRWS 2008 [http://www.dfrws.org/2008/proceedings/p14-calhoun_pres.pdf [slides]]
  
== FIle Carving Taxonomy==
+
; Karresand Martin, Shahmehri Nahid. File type identification of data fragments by their binary structure. In:
[[Simson Garfinkel]] and [[Joachim Metz]] have proposed the following file carving taxonomy:
+
Proceedings of the IEEE workshop on information assurance; 2006b. p. 140–7. [http://www.itoc.usma.edu/workshop/2006/Program/Presentations/IAW2006-07-3.pdf [slides]]
  
;Carving
+
[[Category:Bibliography]]
:General term for extracting data (files) out of undifferentiated blocks (raw data), like "carving" a sculpture out of soap stone.
+
 
+
;Block Based Carving
+
:Any carving method (algorithm) that analyzes the input on block-by-block basis to determine if a block is part of a possible output file. This method assumes that each block can only be part of a single file (or embedded file).
+
 
+
;Characteristic Based Carving
+
:Any carving method (algorithm) that analyzes the input on characteristic basis (for example, entropy) to determine if the input is part of a possible output file.
+
 
+
;Header/Footer Carving
+
:A method for carving files out of raw data using a distinct header (start of file marker) and footer (end of file marker).
+
 
+
;Header/Maximum (file) size Carving
+
:A method for carving files out of raw data using a distinct header (start of file marker) and a maximum (file) size. This approach works because many file formats (e.g. JPEG, MP3) do not care if additional junk is appended to the end of a valid file.
+
 
+
;Header/Embedded Length Carving
+
:A method for carving files out of raw data using a distinct header and a file length (size) which is embedded in the file format
+
 
+
;File structure based carving
+
:A method for carving files out of raw data using a certain level of knowledge of the internal structure of file types. Garfinkel called this approach "Semantic Carving" in his DFRWS2006 carving challenge submission, while Metz and Mora called the approach "Deep Carving."
+
 
+
;Semantic carving
+
:A method for carving files based on a linguistic analysis of the file's content. For example, a semantic carver might conclude that six blocks of french in the middle of a long HTML file written in English is a fragment left from a previous allocated file, and not from the English-language HTML file.
+
 
+
;Carving with Validation
+
:A method for carving files out of raw data where the carved files are validated using a file type specific validator.
+
 
+
;Fragment Recovery Carving
+
:A carving method in which two or more fragments are reassembled to form the original file or object. Garfinkel previously called this approach "Split Carving."
+
 
+
== File Carving challenges and test images ==
+
 
+
[http://www.dfrws.org/2006/challenge/]
+
File Carving Challenge - [[DFRWS]] 2006
+
 
+
[http://dftt.sourceforge.net/test6/index.html]
+
FAT Undelete Test #1 - Digital Forensics Tool Testing Image (dftt #6)
+
 
+
[http://dftt.sourceforge.net/test7/index.html]
+
NTFS Undelete (and leap year) Test #1 - Digital Forensics Tool Testing Image (dftt #7)
+
 
+
[http://dftt.sourceforge.net/test11/index.html]
+
Basic Data Carving Test - fat32 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #11)
+
 
+
[http://dftt.sourceforge.net/test12/index.html]
+
Basic Data Carving Test - ext2 (by Nick Mikus) - Digital Forensics Tool Testing Image (dftt #12)
+
 
+
==File Carving Bibliography==
+
 
+
Mikus, Nicholas A. "An analysis of disc carving techniques," Master's Thesis, Naval Postgraduate School. March 2005. http://handle.dtic.mil/100.2/ADA432468
+
 
+
== See also ==
+
[[Tools:Data_Recovery#Carving | FIle Carving Tools]]
+
 
+
=Memory Carving=
+

Revision as of 22:11, 19 October 2008

File Format Identification is the process of figuring out the format of a sequence of bytes. Operating systems typically do this by file extension or by embedded MIME information. Forensic applications need to identify file types by content.

Contents

Tools

libmagic

  • Written in C.
  • Rules in /usr/share/file/magic and compiled at runtime.
  • Powers the Unix “file” command, but you can also call the library directly from a C program.
  • http://sourceforge.net/projects/libmagic

DROID

TrID

Stellent/Oracle Outside-In

Bibliography

Current research papers on the file format identification problem. Most of these papers concern themselves with identifying file format of a few file sectors, rather than an entire file.

Predicting the Types of File Fragments, William Calhoun, Drue Coles, DFRWS 2008 [slides]
Karresand Martin, Shahmehri Nahid. File type identification of data fragments by their binary structure. In

Proceedings of the IEEE workshop on information assurance; 2006b. p. 140–7. [slides]

Retrieved from "http://www.forensicswiki.org/w/index.php?title=File_Carving&oldid=8619"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox