Difference between pages "Cell Phone Forensics" and "File Carving"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Links)
 
m (File Carving challenges and test images)
 
Line 1: Line 1:
== Guidelines ==
+
'''Carving''' is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media. Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.
  
# If on, switch it off. If off, leave off.
 
#* Note only under exceptional circumstances should the handset be left switched on and in any case every precaution to prevent the handset connecting with the Communication Service Provider should be made. Consider use of a [http://www.paraben-forensics.com/catalog/product_info.php?cPath=26&products_id=173 Faraday Bag] (Shielded Bag).  An example of a cellular seizure package is [http://www.paraben-forensics.com/catalog/product_info.php?cPath=26&products_id=372 Paraben's Handheld First Responder Kit] which also includes a [http://www.paraben-forensics.com/catalog/product_info.php?cPath=26&products_id=173 Faraday Bag].
 
#* Instead of switching off, it may be better to just pop the battery. Phones run a different part of their program when they are turned off.  You may wish to avoid having this part of the program run.
 
# Collect and preserve other surrounding and related devices. Be especially careful to collect the power charger. The phone's battery will only last a certain amount of time. When it dies, much of the data on the device may go too!
 
# Plug the phone in, preferably in the evidence room, as soon as possible.
 
# Retain [[search warrant]] (if necessary - [[LE]]).
 
# Return device to forensic lab if able.
 
# Use [[forensically sound]] tools for processing.
 
  
== Notes ==
+
=File Carving=
  
Expand on as to what to collect:
+
Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries. [[Semantic Carving]] performs carving based on an analysis of the contents of the proposed files.
  
* [[ESN]],
+
File carving should be done on a [[disk image]], rather than on the original disk.
* [[IMEI]],
+
* [[Carrier]],
+
* Manufacturer,
+
* Model Number,
+
* Color, and
+
* Other information related to [[Cell Phone]] and [[SIM Card]]...
+
  
Process:
+
File carving tools are listed on the [[Tools:Data_Recovery]] wiki page.
  
# Research the [[Cell Phone]] for technical specifications. Visit PhoneScoop.com or GSMArena.com for more information.
+
Many carving programs have an option to only look at or near sector boundaries where headers are found. However, searching the entire input can find files that have been embedded into other files, such as [[JPEG]]s being embedded into [[Microsoft]] [[DOC|Word documents]]. This may be considered an advantage or a disadvantage, depending on the circumstances.
# Research the [[Cell Phone]] for forensic information. Visit Phone-Forensics.com or SmartPhoneForensics.com for more information.
+
#
+
#
+
  
== Links ==
+
Today most file carving programs will only recover files that are contiguous on the media.
*[http://www.GSMArena.com GSMArena.com (Technical information regarding GSM Cell Phones)]
+
 
*[http://www.Phone-Forensics.com Phone-Forensics.com (Practitioners Forum)]
+
== File Carving Taxonomy==
*[http://www.PhoneScoop.com PhoneScoop.com (Technical information regarding all Cell Phones)]
+
[[Simson Garfinkel]] and [[Joachim Metz]] have proposed the following file carving taxonomy:
*[http://www.MobileForensics.com MobileForensics.com (Good article on Cell Phones)]
+
 
*[http://www.SmartPhoneForensics.com SmartPhoneForensics.com (Knowledge Base for Cell Phone Forensics)]
+
;Carving
*[http://www.paraben-training.com/training.html Paraben-Forensics.com (Paraben's Handheld Forensic Training Classes)]
+
:General term for extracting data (files) out of undifferentiated blocks (raw data), like "carving" a sculpture out of soap stone.
 +
 
 +
;Block Based Carving
 +
:Any carving method (algorithm) that analyzes the input on block-by-block basis to determine if a block is part of a possible output file. This method assumes that each block can only be part of a single file (or embedded file).
 +
 
 +
;Characteristic Based Carving
 +
:Any carving method (algorithm) that analyzes the input on characteristic basis (for example, entropy) to determine if the input is part of a possible output file.
 +
 
 +
;Header/Footer Carving
 +
:A method for carving files out of raw data using a distinct header (start of file marker) and footer (end of file marker).
 +
 
 +
;Header/Maximum (file) size Carving
 +
:A method for carving files out of raw data using a distinct header (start of file marker) and a maximum (file) size. This approach works because many file formats (e.g. JPEG, MP3) do not care if additional junk is appended to the end of a valid file.
 +
 
 +
;Header/Embedded Length Carving
 +
:A method for carving files out of raw data using a distinct header and a file length (size) which is embedded in the file format
 +
 
 +
;File structure based Carving
 +
:A method for carving files out of raw data using a certain level of knowledge of the internal structure of file types. Garfinkel called this approach "Semantic Carving" in his DFRWS2006 carving challenge submission, while Metz and Mora called the approach "Deep Carving."
 +
 
 +
;Semantic Carving
 +
:A method for carving files based on a linguistic analysis of the file's content. For example, a semantic carver might conclude that six blocks of french in the middle of a long HTML file written in English is a fragment left from a previous allocated file, and not from the English-language HTML file.
 +
 
 +
;Carving with Validation
 +
:A method for carving files out of raw data where the carved files are validated using a file type specific validator.
 +
 
 +
;Fragment Recovery Carving
 +
:A carving method in which two or more fragments are reassembled to form the original file or object. Garfinkel previously called this approach "Split Carving."
 +
 
 +
== File Carving challenges and test images ==
 +
 
 +
[http://www.dfrws.org/2006/challenge/ File Carving Challenge] - [[Digital Forensic Research Workshop|DFRWS]] 2006
 +
 
 +
[http://www.dfrws.org/2007/challenge/ File Carving Challenge] - [[Digital Forensic Research Workshop|DFRWS]] 2007
 +
 
 +
[http://dftt.sourceforge.net/test6/index.html FAT Undelete Test #1] - Digital Forensics Tool Testing Image (dftt #6)
 +
 
 +
[http://dftt.sourceforge.net/test7/index.html NTFS Undelete (and leap year) Test #1] - Digital Forensics Tool Testing Image (dftt #7)
 +
 
 +
[http://dftt.sourceforge.net/test11/index.html Basic Data Carving Test - fat32], Nick Mikus - Digital Forensics Tool Testing Image (dftt #11)
 +
 
 +
[http://dftt.sourceforge.net/test12/index.html Basic Data Carving Test - ext2],  Nick Mikus - Digital Forensics Tool Testing Image (dftt #12)
 +
 
 +
== See also ==
 +
* [[Tools:Data_Recovery#Carving | FIle Carving Tools]]
 +
* [[File Carving Bibliography]]
 +
 
 +
=Memory Carving=

Revision as of 21:40, 21 October 2008

Carving is the practice of searching an input for files or other kinds of objects based on content, rather than on metadata. File carving is a powerful tool for recovering files and fragments of files when directory entries are corrupt or missing, as may be the case with old files that have been deleted or when performing an analysis on damaged media. Memory carving is a useful tool for analyzing physical and virtual memory dumps when the memory structures are unknown or have been overwritten.


File Carving

Most file carvers operate by looking for file headers and/or footers, and then "carving out" the blocks between these two boundaries. Semantic Carving performs carving based on an analysis of the contents of the proposed files.

File carving should be done on a disk image, rather than on the original disk.

File carving tools are listed on the Tools:Data_Recovery wiki page.

Many carving programs have an option to only look at or near sector boundaries where headers are found. However, searching the entire input can find files that have been embedded into other files, such as JPEGs being embedded into Microsoft Word documents. This may be considered an advantage or a disadvantage, depending on the circumstances.

Today most file carving programs will only recover files that are contiguous on the media.

File Carving Taxonomy

Simson Garfinkel and Joachim Metz have proposed the following file carving taxonomy:

Carving
General term for extracting data (files) out of undifferentiated blocks (raw data), like "carving" a sculpture out of soap stone.
Block Based Carving
Any carving method (algorithm) that analyzes the input on block-by-block basis to determine if a block is part of a possible output file. This method assumes that each block can only be part of a single file (or embedded file).
Characteristic Based Carving
Any carving method (algorithm) that analyzes the input on characteristic basis (for example, entropy) to determine if the input is part of a possible output file.
Header/Footer Carving
A method for carving files out of raw data using a distinct header (start of file marker) and footer (end of file marker).
Header/Maximum (file) size Carving
A method for carving files out of raw data using a distinct header (start of file marker) and a maximum (file) size. This approach works because many file formats (e.g. JPEG, MP3) do not care if additional junk is appended to the end of a valid file.
Header/Embedded Length Carving
A method for carving files out of raw data using a distinct header and a file length (size) which is embedded in the file format
File structure based Carving
A method for carving files out of raw data using a certain level of knowledge of the internal structure of file types. Garfinkel called this approach "Semantic Carving" in his DFRWS2006 carving challenge submission, while Metz and Mora called the approach "Deep Carving."
Semantic Carving
A method for carving files based on a linguistic analysis of the file's content. For example, a semantic carver might conclude that six blocks of french in the middle of a long HTML file written in English is a fragment left from a previous allocated file, and not from the English-language HTML file.
Carving with Validation
A method for carving files out of raw data where the carved files are validated using a file type specific validator.
Fragment Recovery Carving
A carving method in which two or more fragments are reassembled to form the original file or object. Garfinkel previously called this approach "Split Carving."

File Carving challenges and test images

File Carving Challenge - DFRWS 2006

File Carving Challenge - DFRWS 2007

FAT Undelete Test #1 - Digital Forensics Tool Testing Image (dftt #6)

NTFS Undelete (and leap year) Test #1 - Digital Forensics Tool Testing Image (dftt #7)

Basic Data Carving Test - fat32, Nick Mikus - Digital Forensics Tool Testing Image (dftt #11)

Basic Data Carving Test - ext2, Nick Mikus - Digital Forensics Tool Testing Image (dftt #12)

See also

Memory Carving