±Partners and Sponsors

±Your Account


Nickname
Password


Forgotten password/username?


Membership:
New Today: 6
New Yesterday: 2
Overall: 26983
Visitors: 63

±Follow Forensic Focus

Join our LinkedIn group

Subscribe to news

Subscribe to forums

Subscribe to blog

Subscribe to tweets

manually carve a file from image

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

manually carve a file from image

Post Posted: Fri Dec 07, 2012 5:55 am

I'm trying to get more information on a methodology for carving a file out of an image that a forensic tool was unable to carve out. Any resources/ references would be greatly appreciated.  

digitalcoroner
Member
 
 
  

Re: manually carve a file from image

Post Posted: Fri Dec 07, 2012 6:01 am

What sort of file is it and do you know why the forensic tool was unable to find it?  

joethomas
Senior Member
 
 
  

Re: manually carve a file from image

Post Posted: Fri Dec 07, 2012 7:17 am

- digitalcoroner
I'm trying to get more information on a methodology for carving a file out of an image that a forensic tool was unable to carve out. Any resources/ references would be greatly appreciated.


A rather basic method would be based on syntactic (and perhaps even semantic) structures. You essentially build a parser for the file type you want to carve, start it on the initial sector/cluster, and let it process until it hits the end of the block. At that point the parser is in some syntactic state, implying a grammatical context. Next find all unallocated sectors/clusters that commence with something that fits that structure (syntactically and semantically), and do trial parses on each of them. If the parser blocks due to syntactical or semantical inconsistencies, forget the block -- it can't be part of the file. At this point you have one starting block + N continuation blocks that 'make sense'. At each branch end, keep going in the same manner, until you hit a end-of-file indication (explicit or implicit). That is a candidate file. Depending on the file type you may either stop or keep going, collecting all candidates. (If there is no continuation, you may decide you have a partial recovery, and report that, of course.)

You'll need rather strong syntax, though: weakly described files may produce so many candidates that you can't select between them.  

Last edited by athulin on Sat Dec 08, 2012 2:27 am; edited 1 time in total

athulin
Senior Member
 
 
  

Re: manually carve a file from image

Post Posted: Fri Dec 07, 2012 7:50 am

This might be of use:
reboot.pro/topic/17778-binwalk/

jaclaz
_________________
- In theory there is no difference between theory and practice, but in practice there is. - 

jaclaz
Senior Member
 
 
  

Re: manually carve a file from image

Post Posted: Fri Dec 07, 2012 7:55 am

As joethomas asked, what type of file is it?

There are many files that standard carving programs will not find, eg .dat , .txt or ones for very specific applications

My approach would be to use a hex editor and do some manual searching. If the file type has a unique signature, then it may be easy to find (and some carving tools will allow you add the signature). Otherwise, try and find a string 'unique' to that file. If it is text, maybe a text string.

You do not say if you are after a single file, or several/many files of a specific type.
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
  

Re: manually carve a file from image

Post Posted: Fri Dec 07, 2012 8:14 am

- digitalcoroner
I'm trying to get more information on a methodology for carving a file out of an image that a forensic tool was unable to carve out. Any resources/ references would be greatly appreciated.


If you want a good answer, you perhaps need to ask a better question.

Useful information you could provide may include:

- Type of file? Extension?
- Expected size of file, if known
- Are you carving from unallocated?
- What tools have you used? How did you search for it?
- Is it possibly encrypted?
- Is it possibly in an archive?
- What's your budget? Or can you only use free solutions?
_________________
Forensic Control
twitter.com/ForensicControl 

Jonathan
Senior Member
 
 
  

Re: manually carve a file from image

Post Posted: Fri Dec 07, 2012 12:05 pm

As joethomas asked, what type of file is it?

There are many files that standard carving programs will not find, eg .dat , .txt or ones for very specific applications

My approach would be to use a hex editor and do some manual searching. If the file type has a unique signature, then it may be easy to find (and some carving tools will allow you add the signature). Otherwise, try and find a string 'unique' to that file. If it is text, maybe a text string.

You do not say if you are after a single file, or several/many files of a specific type.
_________________
Michael Cotgrove
www.cnwrecovery.com
cnwrecovery.blogspot.com/ 

mscotgrove
Senior Member
 
 
Reply to topicReply to topic

Share this forum topic to encourage more replies



Page 1 of 1