Difference between pages "File Carving:SmartCarving" and "Chrome Disk Cache Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(See Also)
 
Line 1: Line 1:
'''SmartCarving''' is a [[File Carving|file carving]] technique to recover fragmented files first proposed by [[User:PashaPal|A. Pal]], T. Sencar and [[User:NasirMemon|N. Memon]] in DFRWS 2008. The term '''Smart Carving''' was already proposed in [http://sandbox.dfrws.org/2006/mora/dfrws2006.pdf]
+
{{expand}}
  
SmartCarving utilizes a combination of structure based validation along with validation of each file's unique content. Results for the SmartCarving technique
+
== Cache files ==
were demonstrated on fragmented jpegs in the DFRWS 2006 and DFRWS 2007 challenges. From these two challenges SmartCarving was able
+
The cache is stored in multiple:
to recover all but one fragmented jpeg file.
+
{| class="wikitable"
 +
|-
 +
! Filename
 +
! Description
 +
|-
 +
| index
 +
| The index file
 +
|-
 +
| data_#
 +
| Data block files
 +
|-
 +
| f_######
 +
| (Separate) data stream file
 +
|}
  
==History==
+
== Cache address ==
[[User:NasirMemon|Memon]] et al.[1] presented an efficient algorithm based on a greedy heuristic and alpha-beta pruning for reassembling fragmented images.
+
The cache address is 4 bytes in size and consists of:  
Building on this work, [[User:NasirMemon|Memon]] et al.[2] researched and introduced sequential hypothesis testing as a an effective mechanism for detecting fragmentation points of file. This paper won the best paper award for DFRWS 2008. The techniques presented in the paper were the foundation for the overall SmartCarving design.
+
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| <i>If file type is 0 (Separate file)</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 28 bits
 +
|
 +
| File number <br> The value represents the value of # in f_######
 +
|-
 +
| <i>Else</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 16 bits
 +
|
 +
| Block number
 +
|-
 +
| 2.0
 +
| 8 bits
 +
|
 +
| File number (or file selector) <br> The value represents the value of # in data_#
 +
|-
 +
| 3.0
 +
| 2 bits
 +
|
 +
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
 +
|-
 +
| 3.2
 +
| 2 bits
 +
|
 +
| Reserved
 +
|-
 +
| <i>Common</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 3.4
 +
| 3 bits
 +
|
 +
| File type
 +
|-
 +
| 3.7
 +
| 1 bit
 +
|
 +
| Initialized flag
 +
|}
  
==Details==
+
=== File types ===
After identifying a header block of a specific file type, for example, jpeg, a SmartCarver will analyze each subsequent block to determine if it
+
{| class="wikitable"
belongs or does not belong to the starting block. If a block is determined not to belong, then the file is assumed to be fragmented and the
+
|-
SmartCarving algorithm looks for the next fragment by matching the data of other available blocks with the first fragment. This process can be
+
! Value
done in parallel for many files.
+
! Description
 +
|-
 +
| 0
 +
| (Separate) data stream file
 +
|-
 +
| 1
 +
| (Rankings) block data file (36 byte block data file)
 +
|-
 +
| 2
 +
| 256 byte block data file
 +
|-
 +
| 3
 +
| 1024 byte block data file
 +
|-
 +
| 4
 +
| 4096 byte block data file
 +
|-
 +
|
 +
|
 +
|-
 +
| 6
 +
| Unknown; seen on Mac OS  X 0x6f430074
 +
|}
  
==Applications==
+
==== Examples ====
There are currently two applications available that utilize SmartCarving, both produced by Digital Assembly:
+
{| class="wikitable"
* [[Adroit Photo Forensics]]
+
|-
* Adroit Photo Recovery
+
! Value
 +
! Description
 +
|-
 +
| 0x00000000
 +
| Not initialized
 +
|-
 +
| 0x8000002a
 +
| Data stream file: f_00002a
 +
|-
 +
| 0xa0010003
 +
| Block data file: data_1, block number 3, 1 block of size
 +
|}
  
== References ==
+
== Index file format (index) ==
* A. Pal and N. Memon, [http://digital-assembly.com/technology/research/pubs/ieee-trans-2006.pdf "Automated reassembly of file fragmented images using greedy algorithms"] in IEEE Transactions on Image processing, February 2006, pp 385­393
+
Overview:
* A. Pal, T. Sencar and N. Memon, [http://digital-assembly.com/technology/research/pubs/dfrws2008.pdf "Detecting File Fragmentation Point Using Sequential Hypothesis Testing"], Digital Investigations, Fall 2008
+
* File header
 +
* least recently used (LRU) data (or eviction control data)
 +
* index table
  
==External links==
+
=== File header ===
* [http://digital-assembly.com/products/adroit-photo-recovery/ Adroit Photo Recovery]
+
*TODO*
* [http://digital-assembly.com/products/adroit-photo-forensics/ Adroit Photo Forensics]
+
 
* [http://digital-assembly.com/technology/ Link to SmartCarving Technology and Research]
+
== Data block file format (data_#) ==
* [http://digital-assembly.com Digital Assembly]
+
Overview:
 +
* File header
 +
* array of blocks
 +
 
 +
=== File header ===
 +
*TODO*
 +
 
 +
== Data stream ==
 +
See: [[gzip]]
 +
 
 +
== See Also ==
 +
* [[Google Chrome]]
 +
* [[gzip]]
 +
 
 +
== External Links ==
 +
 
 +
[[Category:File Formats]]

Revision as of 13:29, 21 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Cache files

The cache is stored in multiple:

Filename Description
index The index file
data_# Data block files
f_###### (Separate) data stream file

Cache address

The cache address is 4 bytes in size and consists of:

offset size value description
If file type is 0 (Separate file)
0.0 28 bits File number
The value represents the value of # in f_######
Else
0.0 16 bits Block number
2.0 8 bits File number (or file selector)
The value represents the value of # in data_#
3.0 2 bits Block size
The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
3.2 2 bits Reserved
Common
3.4 3 bits File type
3.7 1 bit Initialized flag

File types

Value Description
0 (Separate) data stream file
1 (Rankings) block data file (36 byte block data file)
2 256 byte block data file
3 1024 byte block data file
4 4096 byte block data file
6 Unknown; seen on Mac OS X 0x6f430074

Examples

Value Description
0x00000000 Not initialized
0x8000002a Data stream file: f_00002a
0xa0010003 Block data file: data_1, block number 3, 1 block of size

Index file format (index)

Overview:

  • File header
  • least recently used (LRU) data (or eviction control data)
  • index table

File header

  • TODO*

Data block file format (data_#)

Overview:

  • File header
  • array of blocks

File header

  • TODO*

Data stream

See: gzip

See Also

External Links