Most people in this forum are already familiar with
If you don't know what they are, the are tools that will dig through a dd image of a filesystem, memory, swap file, etc and "carve" out files. The power is in the configuration file that contains patterns for matching files. The patterns consists of typically a header and/or a footer such as this one for JPG's.
Extension CaseSens Size Header Footer
jpg y 20000000 \xff\xd8 \xff\xd9
I am compiling what I hope will be a reasonably comprehensive configuration file for use with foremost and scalpel that includes tested and reliable patterns. If you have patterns that you can share without violating company policies, I would appreciate them. Once I start getting configs from individuals and validate them, they will be made available to the forensic community.
Great to see some work is being done on data carving configuration.
Given that for file identification libmagic is commonly used, and people thus tend to have a large set of libmagic configuration data that holds known file headers, would it not be a good idea to look at how to make data carving tool configurations integrate with libmagic configurations? Myce looking at working with the libmagic people on integrating footer support into libmagic, and using libmagic as the core of the carving tool?
got any ?
Sadly, not a single person contacted me with new sigs. I was hoping to have something we could work into a wiki. Maybe it's worth pursuing on on ForensicsWiki.org.
