Difference between revisions of "File Carving"

From ForensicsWiki
Jump to: navigation, search
m
m
Line 1: Line 1:
'''Carving''' is the practice of searching an input for files based on the input's content.  Most often the input is a [[disk image]], but it's possible (and sometimes practical) to carve individual files or [[physical memory]].
+
'''Carving''' is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media. Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.
 +
 
 +
based on the input's content.  but it's possible (and sometimes practical) to carve individual files or [[physical memory]].
  
 
=File Carving=
 
=File Carving=
  
 
Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries. [[Semantic Carving]] performs carving based on an analysis of the contents of the proposed files.  
 
Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries. [[Semantic Carving]] performs carving based on an analysis of the contents of the proposed files.  
 +
 +
File carving should be done on a [[disk image]], rather than on the original disk.
  
 
File carving tools are listed on the [[Tools:Data_Recovery]] wiki page.
 
File carving tools are listed on the [[Tools:Data_Recovery]] wiki page.
  
Many carving programs have an option to only look at or near sector boundaries where headers are found. Searching the entire input can find files that have been embedded into other files, such as [[JPEG]]s being embedded into [[Microsoft]] [[DOC|Word documents]].
+
Many carving programs have an option to only look at or near sector boundaries where headers are found. However, searching the entire input can find files that have been embedded into other files, such as [[JPEG]]s being embedded into [[Microsoft]] [[DOC|Word documents]]. This may be considered an advantage or a disadvantage, depending on the circumstances.
 +
 
 +
Today most file carving programs will only recover files that are contiguous on the media.  
  
 
DFRWS2006 featured a [http://www.dfrws.org/2006/challenge/index.html file carving challenge]. As a condition of entering the challenge, all tools and techniques developed to solve the challenge had to be open sourced.
 
DFRWS2006 featured a [http://www.dfrws.org/2006/challenge/index.html file carving challenge]. As a condition of entering the challenge, all tools and techniques developed to solve the challenge had to be open sourced.
  
 
=Memory Carving=
 
=Memory Carving=

Revision as of 16:49, 29 December 2006

Carving is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media. Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.

based on the input's content.  but it's possible (and sometimes practical) to carve individual files or physical memory.

File Carving

Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries. Semantic Carving performs carving based on an analysis of the contents of the proposed files.

File carving should be done on a disk image, rather than on the original disk.

File carving tools are listed on the Tools:Data_Recovery wiki page.

Many carving programs have an option to only look at or near sector boundaries where headers are found. However, searching the entire input can find files that have been embedded into other files, such as JPEGs being embedded into Microsoft Word documents. This may be considered an advantage or a disadvantage, depending on the circumstances.

Today most file carving programs will only recover files that are contiguous on the media.

DFRWS2006 featured a file carving challenge. As a condition of entering the challenge, all tools and techniques developed to solve the challenge had to be open sourced.

Memory Carving