File Carving
AakarshRaj
7,470 views
25 slides
Mar 29, 2015
Slide 1 of 25
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
About This Presentation
An Introduction to File Carving and its techniques used in computer forensics....
Slide Content
FILE CARVING
WHAT IS FILE CARVING??
File Carving is the process of reassembling computer files from
fragments in the absence of file system metadata.
It is the process of extracting a collection of data from a larger data set.
Data carving techniques frequently occur during a digital investigation
under Computer Forensics when the unallocated file system space is
analysed to extract files.
The files are “carved” from the unallocated space using file type-specific
header and footer values.
2
File Carving is the process of reassembling computer files from
fragments in the absence of file system metadata.
It is the process of extracting a collection of data from a larger data set.
Data carving techniques frequently occur during a digital investigation
under Computer Forensics when the unallocated file system space is
analysed to extract files.
The files are “carved” from the unallocated space using file type-specific
header and footer values.
2
COMPUTER FORENSICS
Computer Forensics is a branch of digital forensic science
pertaining to legal evidence found in computers and digital storage
media.
The goal of computer forensics is to examine digital media in a
forensically sound manner with the aim of identifying, preserving,
recovering, analysing and presenting facts and opinions about the
digital information.
3
Computer Forensics is a branch of digital forensic science
pertaining to legal evidence found in computers and digital storage
media.
The goal of computer forensics is to examine digital media in a
forensically sound manner with the aim of identifying, preserving,
recovering, analysing and presenting facts and opinions about the
digital information.
3
HOW THE DATA IS HIDDEN??
Deleting A File
Sends the file to Windows Recycle Bin
Undeleted tools depend on the deleted directory entry
•That can be deleted or overwritten too
•Then there is no undeleting possible
Store Files in a TrueCrypt/VeraCrypt/CipherShed Volume
Undetected as a file(except for My tools)
Looks like random data in unallocated space
4
Deleting A File
Sends the file to Windows Recycle Bin
Undeleted tools depend on the deleted directory entry
•That can be deleted or overwritten too
•Then there is no undeleting possible
Store Files in a TrueCrypt/VeraCrypt/CipherShed Volume
Undetected as a file(except for My tools)
Looks like random data in unallocated space
4
5
FILE RECOVERY VS. FILE CARVING
FILE RECOVERY
•File recovery techniques make
use of the file system information
that remains after deletion of a
file.
•For this technique to work, the
file system information needs to
be correct. If not, the files can’t
be recovered.
FILE CARVING
•Carving deals with the raw data
on the media.
•Carving doesn’t care about
which file system is used to store
the files.
6
FILE RECOVERY
•File recovery techniques make
use of the file system information
that remains after deletion of a
file.
•For this technique to work, the
file system information needs to
be correct. If not, the files can’t
be recovered.
FILE CARVING
•Carving deals with the raw data
on the media.
•Carving doesn’t care about
which file system is used to store
the files.
6
HOW FILE CARVING WORKS??
File carving is a powerful technique for recovering files and fragments
of files when directory entries are corrupt or missing.
Every file type has its specific header and footer values. In File
Carving, raw data is searched block by block for residual data
matching the file type-specific header and footer values.
As long as data is not overwritten or wiped, deleted data on all
storage devices can be restored using carving techniques, including
multifunctional devices and even mobile phones.
7
File carving is a powerful technique for recovering files and fragments
of files when directory entries are corrupt or missing.
Every file type has its specific header and footer values. In File
Carving, raw data is searched block by block for residual data
matching the file type-specific header and footer values.
As long as data is not overwritten or wiped, deleted data on all
storage devices can be restored using carving techniques, including
multifunctional devices and even mobile phones.
7
EXAMPLE OF A FILE STRUCTURE
8
8
9
File Header
File Footer
File Header
File Footer
FILE CARVING ASSUMPTIONS
The files searched for are not fragmented.
The beginning of the file is still present.
The signature being searched for is not a common string, which could
cause numerous false positives.
The blocks of data searched one at a time are mostly 512 bytes in
size.
10
The files searched for are not fragmented.
The beginning of the file is still present.
The signature being searched for is not a common string, which could
cause numerous false positives.
The blocks of data searched one at a time are mostly 512 bytes in
size.
10
WHAT IF FRAGMENTATION OCCURS??
As files are edited, modified and deleted, most hard drives get
fragmented.
Also depends on allocation methodology of file system.
Fragmentation in forensically important files like email, WORD
document etc. is high. Why??
Because of constant editing, deletion and addition PST files are most
fragmented.
11
As files are edited, modified and deleted, most hard drives get
fragmented.
Also depends on allocation methodology of file system.
Fragmentation in forensically important files like email, WORD
document etc. is high. Why??
Because of constant editing, deletion and addition PST files are most
fragmented.
11
BASIC CARVING SCHEMES
•BiFragment Gap Recovery
•Given by Simson L. Garfinkel, a noted authority in computer forensics field.
•He proposed that a high percentage of files were saved in two separate
fragments, i.e., bifragment.
•SmartCarving
•Introduced by A. Pal, N. Memon. T. Sencar and K. Shanmugasundaram.
•It is used to carve out files which is divided into many fragments.
12
•BiFragment Gap Recovery
•Given by Simson L. Garfinkel, a noted authority in computer forensics field.
•He proposed that a high percentage of files were saved in two separate
fragments, i.e., bifragment.
•SmartCarving
•Introduced by A. Pal, N. Memon. T. Sencar and K. Shanmugasundaram.
•It is used to carve out files which is divided into many fragments.
12
BIFRAGMENT GAP RECOVERY
13
13
BIFRAGMENT GAP RECOVERY( CONTD.)
Simson L. Garfinkel estimated that upto 58% of outlook, 17% of jpegs
and 16% of MS-Word files are fragmented and, therefore, appear
corrupted or missing to a user using traditional data carving.
A. Pal, N. Memon. T. Sencar and K. Shanmugasundaram have
introduced a technique called SmartCarving that can recover
fragmented files.
14
Simson L. Garfinkel estimated that upto 58% of outlook, 17% of jpegs
and 16% of MS-Word files are fragmented and, therefore, appear
corrupted or missing to a user using traditional data carving.
A. Pal, N. Memon. T. Sencar and K. Shanmugasundaram have
introduced a technique called SmartCarving that can recover
fragmented files.
14
SMART CARVING
Can work on fragmented and non fragmented data.
Wide variety of file types supported.
Preprocessing
Data clusters are decrypted or decompressed.
Collating
Classification of cluster to various file types.
Reassembly
Reassemble the blocks in sequences that match their file type.
15
Can work on fragmented and non fragmented data.
Wide variety of file types supported.
Preprocessing
Data clusters are decrypted or decompressed.
Collating
Classification of cluster to various file types.
Reassembly
Reassemble the blocks in sequences that match their file type.
15
SMART CARVING(PREPROCESSING)
Compressed and encrypted drive are decrypted/decompressed in this
stage.
Removing known clusters from the disk based on file system meta-
data.
Helps increase the speed and reduce the amount of data for next phases.
Allocated files and Operating system specific data can be pruned
since it doesn’t have any use in forensics.
16
Compressed and encrypted drive are decrypted/decompressed in this
stage.
Removing known clusters from the disk based on file system meta-
data.
Helps increase the speed and reduce the amount of data for next phases.
Allocated files and Operating system specific data can be pruned
since it doesn’t have any use in forensics.
16
SMART CARVING(COLLATING)
Classifies the disk clusters as belonging to certain file types.
Reduces the cluster pool in recovery of file of each type.
Keyword/Pattern Matching
Looking for sequences to determine the type of cluster.
E.g. <html> tags in a cluster collates to html file.
ASCII characters frequency
High frequency of these indicate that data is non Video or Image.
17
Classifies the disk clusters as belonging to certain file types.
Reduces the cluster pool in recovery of file of each type.
Keyword/Pattern Matching
Looking for sequences to determine the type of cluster.
E.g. <html> tags in a cluster collates to html file.
ASCII characters frequency
High frequency of these indicate that data is non Video or Image.
17
SMART CARVING(REASSEMBLY)
Reassembly can be done by
Finding the starting fragment of a file that contains the header.
Merging clusters belonging to same fragment.
Finding the fragmentation point i.e. the last cluster in current segment.
Starting point of next fragment.
Ending point of last fragment. Last cluster containing the footer.
18
Reassembly can be done by
Finding the starting fragment of a file that contains the header.
Merging clusters belonging to same fragment.
Finding the fragmentation point i.e. the last cluster in current segment.
Starting point of next fragment.
Ending point of last fragment. Last cluster containing the footer.
18
FILE CARVING TAXONOMY
•Block Based Carving
•Statistical Carving
•Header/Footer Carving
•Header/Maximum File Size
Carving
•Header/Embedded Length
Carving
•File Structure Based Carving
•Semantic Carving
•Carving with Validation
•Fragment Recovery Carving
•Repackaging Carving
•Hash Carving
•Fuzzy Hash Carving
19
•Block Based Carving
•Statistical Carving
•Header/Footer Carving
•Header/Maximum File Size
Carving
•Header/Embedded Length
Carving
•File Structure Based Carving
•Semantic Carving
•Carving with Validation
•Fragment Recovery Carving
•Repackaging Carving
•Hash Carving
•Fuzzy Hash Carving
19
FILE CARVING TOOLS
Foremost - Originally designed by the US Air Force, it is a carver
designed for recovering files based on their headers, footers, and
internal data structures.
Scalpel - Scalpel is a rewrite of Foremost focused on performance
and a decrease of memory usage. It uses a database of header and
footer definitions and extracts matching files from a set of image files
or raw device files.
20
Foremost - Originally designed by the US Air Force, it is a carver
designed for recovering files based on their headers, footers, and
internal data structures.
Scalpel - Scalpel is a rewrite of Foremost focused on performance
and a decrease of memory usage. It uses a database of header and
footer definitions and extracts matching files from a set of image files
or raw device files.
20
FILE CARVING TOOLS( CONTD.)
Photorec - Photorec is a
data recovery software tool
designed to recover lost files
from digital camera storage,
hard disks, and CD-ROMs
using a FTK(Forensic ToolKit)
imager.
It recovers most common photo
formats, audio files, document
formats, such as Microsoft
Office, PDF, HTML, and
archive/compression formats.
21
Photorec - Photorec is a
data recovery software tool
designed to recover lost files
from digital camera storage,
hard disks, and CD-ROMs
using a FTK(Forensic ToolKit)
imager.
It recovers most common photo
formats, audio files, document
formats, such as Microsoft
Office, PDF, HTML, and
archive/compression formats.
21
FUTURE TOOLS
•Carver 2.0
•Open Source, in the early specification stages
•File Harvester
•Combination of multiple methods: Block Based Carving, Statistical Carving,
Header/Footer Carving, Header/Embedded Length Carving, File Structure
Based Carving, Fragment Recovery Carving, Repackaging Carving (Phase 3),
SmartCarving, Fuzzy Hash Carving
22
•Carver 2.0
•Open Source, in the early specification stages
•File Harvester
•Combination of multiple methods: Block Based Carving, Statistical Carving,
Header/Footer Carving, Header/Embedded Length Carving, File Structure
Based Carving, Fragment Recovery Carving, Repackaging Carving (Phase 3),
SmartCarving, Fuzzy Hash Carving
22
CONCLUSION
File Carving has revolutionized the computer forensics field by enabling
law enforcement to dig out various digital evidence which were earlier
inaccessible with the help of earlier means.
New technologies & techniques in File Carving are making it easier to
recover data with more accuracy and efficiency.
File Carving is still a developing area of computer forensics and has
made further inroads in the recovery of ephemeral data from mobile
phones as evidence.
23
File Carving has revolutionized the computer forensics field by enabling
law enforcement to dig out various digital evidence which were earlier
inaccessible with the help of earlier means.
New technologies & techniques in File Carving are making it easier to
recover data with more accuracy and efficiency.
File Carving is still a developing area of computer forensics and has
made further inroads in the recovery of ephemeral data from mobile
phones as evidence.
23
24
25
Categories
GeneralDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 7,470
- Slides 25
- Favorites 2
- Age 3907 days
Related Slideshows
22
Pray For The Peace Of Jerusalem and You Will Prosper
RodolfoMoralesMarcuc
35 views
26
Don_t_Waste_Your_Life_God.....powerpoint
chalobrido8
38 views
31
VILLASUR_FACTORS_TO_CONSIDER_IN_PLATING_SALAD_10-13.pdf
JaiJai148317
34 views
14
Fertility awareness methods for women in the society
Isaiah47
31 views
35
Chapter 5 Arithmetic Functions Computer Organisation and Architecture
RitikSharma297999
30 views
5
syakira bhasa inggris (1) (1).pptx.......
ourcommunity56
31 views