Difference between pages "Legal issues" and "File Carving"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(Memory Carving)
 
Line 1: Line 1:
=Legal Standards=
+
'''File Carving,''' or sometimes simply '''Carving,''' is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media. Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.
= The Hacker Defense (aka Trojan/Virus Defense) =
+
  
Below are accounts of different hacker/virus/Trojan related defenses.  Albeit some of these are not ‘reputable’ web sources, but they should all have official court backing from wherever the various investigators that do similar.  And the CPS (sort of FBI in UK) is training prosecutors en masse about ‘trojan defenses’ (link below).  These types of actions would not occur unwarranted.  Why do all the extra work for nothing?
 
  
“The "Trojan defense" has now become standard in many types of computer crime cases. But the defense often plays on the ignorance of juries and prosecutors. It has raised the need for the CPS to do more to explain complex technical issues in simple terms to judges and juries, says George.” (Esther George is the policy adviser at the Crown Protection Services)
+
Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries. [[Semantic Carving]] performs carving based on an analysis of the contents of the proposed files.  
http://www.computerweekly.com/Articles/2007/01/27/221526/high-tech-crime-is-put-on-trial.htm
+
  
US man, Eugene Pitts, found not-guilty of tax evasion after blaming a computer virus.  Avoids ~$900,000 in fines.
+
File carving should be done on a [[disk image]], rather than on the original disk.
http://www.sophos.com/pressoffice/news/articles/2003/08/va_virustax.html
+
  
United States v. Michael McCourt U.S. Court of Appeals Case 1/24/06 Western District of Missouri.  Guilty charge upheld.
+
File carving tools are listed on the [[Tools:Data_Recovery]] wiki page.
http://www.ca8.uscourts.gov/opndir/06/11/061018P.pdf
+
  
Karl Schofield walked free from court yesterday after prosecutors accepted an expert's report that the "Trojan" program could have saved the 14 depraved images off the internet without his knowledge. http://www.getreading.co.uk/news/6/6541/program_put_child_porn_pics_on_my_pc
+
Many carving programs have an option to only look at or near sector boundaries where headers are found. However, searching the entire input can find files that have been embedded into other files, such as [[JPEG]]s being embedded into [[Microsoft]] [[DOC|Word documents]]. This may be considered an advantage or a disadvantage, depending on the circumstances.
  
Julian Green, 45, of Torquay, Devon was cleared in court in July of 13 charges of making indecent images, claiming computer malware was to blame.
+
The majority of file carving programs will only recover files that are contiguous on the media (in other words files that are not fragmented).
http://www.sophos.com/pressoffice/news/articles/2003/08/va_porntrojan.html
+
  
Aaron Cafrey acquitted with Trojan defense after US authorities claimed traced DOS activity to his machine
+
== Fragmented File Recovery ==
http://news.com.com/2100-7349-5092781.html?tag=txt
+
[[Simson Garfinkel]] estimated that upto 58% of outlook, 17% of jpegs and 16% of MS-Word files are fragmented and, therefore, appear corrupted or missing to a user using traditional data carving. The first set of file carving programs that can handle fragmented files automatically have finally arrived.
 +
[[User:PashaPal|A. Pal]], [[User:NasirMemon|N. Memon]]. T. Sencar and K. Shanmugasundaram have introduced a technique called [[File_Carving:SmartCarving|SmartCarving]] that can recover fragmented files.
  
A former Georgia teacher blames computer viruses for altering his Web sites and uploading child porn images. Guilty charge upheld.
+
== File Carving Taxonomy==
http://news.zdnet.com/2100-1009_22-6130218.html
+
[[Simson Garfinkel]] and [[Joachim Metz]] have proposed the following file carving taxonomy:
  
Odd spin on the issue, where a hacker used a Trojan to gain access to potential pedophile’s computers.
+
;Carving
http://www.darkreading.com/document.asp?doc_id=118157
+
:General term for extracting data (files) out of undifferentiated blocks (raw data), like "carving" a sculpture out of soap stone.  
  
Bandy’s defense attorney asserted that a “virus” or “trojan” must have downloaded the child pornography to Bandy’s computer without his knowledge.
+
;Block-Based Carving
http://www.foxnews.com/story/0,2933,247903,00.html
+
:Any carving method (algorithm) that analyzes the input on block-by-block basis to determine if a block is part of a possible output file. This method assumes that each block can only be part of a single file (or embedded file).
  
A man found with more than 1,700 indecent images of children on his computer claimed a virus was to blame, a court heard. But Mark Craney, 33, from Knowle, was found guilty at Warwick Crown Court on 16 charges of making indecent images of children by downloading them onto his computer. http://icbirmingham.icnetwork.co.uk/0100news/0100localnews/tm_objectid=15104065&method=full&siteid=50002&headline=man-blamed-net-virus-for-child-porn-name_page.html
+
;Statistical Carving
 +
:Any carving method (algorithm) that analyzes the input on characteristic or statistic for example, entropy) to determine if the input is part of a possible output file.
  
 +
;Header/Footer Carving
 +
:A method for carving files out of raw data using a distinct header (start of file marker) and footer (end of file marker).
  
More links from previous research.  
+
;Header/Maximum (file) size Carving
 +
:A method for carving files out of raw data using a distinct header (start of file marker) and a maximum (file) size. This approach works because many file formats (e.g. JPEG, MP3) do not care if additional junk is appended to the end of a valid file.
  
[1] http://www.cnn.com/2003/TECH/internet/10/28/hacker.defense.reut/index.html
+
;Header/Embedded Length Carving
 +
:A method for carving files out of raw data using a distinct header and a file length (size) which is embedded in the file format
  
[2] http://news.com.com/2100-7349_3-5092781.html
+
;File structure based Carving
 +
:A method for carving files out of raw data using a certain level of knowledge of the internal structure of file types. Garfinkel called this approach "Semantic Carving" in his DFRWS2006 carving challenge submission, while Metz and Mora called the approach "Deep Carving."
  
[3]http://www.fedlawyerguy.org/2003/11/the_trojan_defense.html
+
;Semantic Carving
 +
:A method for carving files based on a linguistic analysis of the file's content. For example, a semantic carver might conclude that six blocks of french in the middle of a long HTML file written in English is a fragment left from a previous allocated file, and not from the English-language HTML file.
  
[4]http://www.theregister.co.uk/2003/04/24/trojan_defence_clears_man/
+
;Carving with Validation
 +
:A method for carving files out of raw data where the carved files are validated using a file type specific validator.
  
[5]http://www.austlii.edu.au/au/cases/cth/high_ct/2006/39.html
+
;Fragment Recovery Carving
 +
:A carving method in which two or more fragments are reassembled to form the original file or object. Garfinkel previously called this approach "Split Carving."
  
[6]http://www.castlecops.com/modules.php?name=News&file=print&sid=2946
+
;Repackaging Carving
 +
:A carving method that modifies the extracted data by adding new headers, footers, or other information so that it can be viewed with standard utilities. For example, Garfinkel's [[ZIP Carver]] looks for individual components of a ZIP file and repackages them with a new Central Directory so that they can be opened with a standard unzip utility.
  
[7] http://direct.bl.uk/bld/PlaceOrder.do?UIN=161932125&ETOC=RN&from=searchengine
+
== File Carving challenges and test images ==
  
== External Links ==
+
[http://www.dfrws.org/2006/challenge/ File Carving Challenge] - [[Digital Forensic Research Workshop|DFRWS]] 2006
  
* [http://www.cybersecurityinstitute.biz/tpicq.htm The "Tools Proven in Court" Question]
+
[http://www.dfrws.org/2007/challenge/ File Carving Challenge] - [[Digital Forensic Research Workshop|DFRWS]] 2007
  
=Privacy and Surveillance Laws=
+
[http://dftt.sourceforge.net/test6/index.html FAT Undelete Test #1] - Digital Forensics Tool Testing Image (dftt #6)
  
18 USC 2510 et seq., 18 USC 2701 et. seq., 18 USC 1030 and other statutes regulate the information private entities and law enforcement can access over a computer network. 
+
[http://dftt.sourceforge.net/test7/index.html NTFS Undelete (and leap year) Test #1] - Digital Forensics Tool Testing Image (dftt #7)
  
The following forensic tools, which can capture forensic images remotely over a network, may raise interesting legal questions under these and other statutes.
+
[http://dftt.sourceforge.net/test11/index.html Basic Data Carving Test - fat32], Nick Mikus - Digital Forensics Tool Testing Image (dftt #11)
  
Paraben Enterprise and Shuttle:
+
[http://dftt.sourceforge.net/test12/index.html Basic Data Carving Test - ext2],  Nick Mikus - Digital Forensics Tool Testing Image (dftt #12)
http://www.paraben-enterprise.com/
+
  
WetStone LiveWire Investigator:
+
== See also ==
http://www.000.shoppingcartsplus.com/catalog/item/4170630/4050602.htm
+
* [[Tools:Data_Recovery#Carving | File Carving Tools]]
 +
* [[File Carving Bibliography]]
 +
* [[Carver 2.0 Planning Page]]
 +
* [[File Carving:SmartCarving|SmartCarving]]
  
ProDiscover IR:
+
=Memory Carving=
http://www.techpathways.com/ProDiscoverIR.htm
+
  
EnCase Enterprise:
+
== External Links ==
http://www.encase.com/products/ee_index.asp
+
* [http://sourceforge.net/projects/revit/files/Documentation/Master%20Thesis%20-%20Advanced%20File%20Carving/ Measuring and Improving the Quality of File Carving Methods], by [[Bas Kloet]]
 
+
Vontu:
+
http://www.vontu.com/products/default.asp
+
 
+
=Cybersecurity Research=
+
* [http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1113014 Toward a Culture of Cybersecurity Research], Aaron J. Burstein, University of California, Berkeley - School of Law. 2008, UC Berkeley Public Law Research Paper No. 1113014
+
 
+
[[Category:Bibliographies]]
+

Revision as of 03:45, 31 July 2012

File Carving, or sometimes simply Carving, is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media. Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.


Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries. Semantic Carving performs carving based on an analysis of the contents of the proposed files.

File carving should be done on a disk image, rather than on the original disk.

File carving tools are listed on the Tools:Data_Recovery wiki page.

Many carving programs have an option to only look at or near sector boundaries where headers are found. However, searching the entire input can find files that have been embedded into other files, such as JPEGs being embedded into Microsoft Word documents. This may be considered an advantage or a disadvantage, depending on the circumstances.

The majority of file carving programs will only recover files that are contiguous on the media (in other words files that are not fragmented).

Fragmented File Recovery

Simson Garfinkel estimated that upto 58% of outlook, 17% of jpegs and 16% of MS-Word files are fragmented and, therefore, appear corrupted or missing to a user using traditional data carving. The first set of file carving programs that can handle fragmented files automatically have finally arrived. A. Pal, N. Memon. T. Sencar and K. Shanmugasundaram have introduced a technique called SmartCarving that can recover fragmented files.

File Carving Taxonomy

Simson Garfinkel and Joachim Metz have proposed the following file carving taxonomy:

Carving
General term for extracting data (files) out of undifferentiated blocks (raw data), like "carving" a sculpture out of soap stone.
Block-Based Carving
Any carving method (algorithm) that analyzes the input on block-by-block basis to determine if a block is part of a possible output file. This method assumes that each block can only be part of a single file (or embedded file).
Statistical Carving
Any carving method (algorithm) that analyzes the input on characteristic or statistic for example, entropy) to determine if the input is part of a possible output file.
Header/Footer Carving
A method for carving files out of raw data using a distinct header (start of file marker) and footer (end of file marker).
Header/Maximum (file) size Carving
A method for carving files out of raw data using a distinct header (start of file marker) and a maximum (file) size. This approach works because many file formats (e.g. JPEG, MP3) do not care if additional junk is appended to the end of a valid file.
Header/Embedded Length Carving
A method for carving files out of raw data using a distinct header and a file length (size) which is embedded in the file format
File structure based Carving
A method for carving files out of raw data using a certain level of knowledge of the internal structure of file types. Garfinkel called this approach "Semantic Carving" in his DFRWS2006 carving challenge submission, while Metz and Mora called the approach "Deep Carving."
Semantic Carving
A method for carving files based on a linguistic analysis of the file's content. For example, a semantic carver might conclude that six blocks of french in the middle of a long HTML file written in English is a fragment left from a previous allocated file, and not from the English-language HTML file.
Carving with Validation
A method for carving files out of raw data where the carved files are validated using a file type specific validator.
Fragment Recovery Carving
A carving method in which two or more fragments are reassembled to form the original file or object. Garfinkel previously called this approach "Split Carving."
Repackaging Carving
A carving method that modifies the extracted data by adding new headers, footers, or other information so that it can be viewed with standard utilities. For example, Garfinkel's ZIP Carver looks for individual components of a ZIP file and repackages them with a new Central Directory so that they can be opened with a standard unzip utility.

File Carving challenges and test images

File Carving Challenge - DFRWS 2006

File Carving Challenge - DFRWS 2007

FAT Undelete Test #1 - Digital Forensics Tool Testing Image (dftt #6)

NTFS Undelete (and leap year) Test #1 - Digital Forensics Tool Testing Image (dftt #7)

Basic Data Carving Test - fat32, Nick Mikus - Digital Forensics Tool Testing Image (dftt #11)

Basic Data Carving Test - ext2, Nick Mikus - Digital Forensics Tool Testing Image (dftt #12)

See also

Memory Carving

External Links