Difference between revisions of "File Carving"

From ForensicsWiki
Jump to: navigation, search
(Initial description)
 
m
Line 1: Line 1:
File carving is the practice of searching an input for files based on their headers and/or footers. Most often the input is a disk image, but it's possible (and sometimes practical) to carve individual files.  
+
'''File carving''' is the practice of searching an input for files based on their headers and/or footers. Most often the input is a [[disk image]], but it's possible (and sometimes practical) to carve individual files or [[physical memory]].
  
Many carving programs have an option to only look at or near sector boundaries where headers are found. Searching the entire input can find files that have been embedded into other formats, such as JPEGs being embedded into Microsoft Word documents or files stored in a ZIP archive.
+
Many carving programs have an option to only look at or near sector boundaries where headers are found. Searching the entire input can find files that have been embedded into other formats, such as [[JPEG]]s being embedded into [[Microsoft]] [[DOC|Word documents]] or files stored in a [[ZIP]] archive.

Revision as of 20:58, 2 May 2006

File carving is the practice of searching an input for files based on their headers and/or footers. Most often the input is a disk image, but it's possible (and sometimes practical) to carve individual files or physical memory.

Many carving programs have an option to only look at or near sector boundaries where headers are found. Searching the entire input can find files that have been embedded into other formats, such as JPEGs being embedded into Microsoft Word documents or files stored in a ZIP archive.