Data Carving - Spec...
 
Notifications
Clear all

Data Carving - Specify Header and Footer

12 Posts
7 Users
0 Reactions
831 Views
pronie2121
(@pronie2121)
Estimable Member
Joined: 17 years ago
Posts: 117
Topic starter  

I have come across a situation where I have to data carve DICOM images out of unallocated space. Being that this is not a common file format I have located the header and footer of each file and there are quite a few thousand of them in unallocated space. Are there any tools that allow you to specify your own type of file and input a header and footer for the program to carve. I was looking at scapel and it says "reads a database of header and footer definitions" Is there anyway to add my own header and footer into this database, and does anyone have directions to do so if this is possible. Thanks for the help any other ideas are appreciated.


   
Quote
CdtDelta
(@cdtdelta)
Estimable Member
Joined: 16 years ago
Posts: 134
 

If I remember right scapel uses an INI file that you can add headers and footers too.


   
ReplyQuote
(@mscotgrove)
Prominent Member
Joined: 16 years ago
Posts: 940
 

You may find that DICOM does not respond to a simple header and footer approach. Looking at the solution I wrote for it, it is a whole series of tags


   
ReplyQuote
pronie2121
(@pronie2121)
Estimable Member
Joined: 17 years ago
Posts: 117
Topic starter  

If I remember right scapel uses an INI file that you can add headers and footers too.

You may find that DICOM does not respond to a simple header and footer approach. Looking at the solution I wrote for it, it is a whole series of tags

Is there an available solution that I can try that you reference? thank you


   
ReplyQuote
(@mscotgrove)
Prominent Member
Joined: 16 years ago
Posts: 940
 

www.cnwrecovery.com

The demo will locate files, but not save them. Howver, you can view them a hex dump

You will require the Image raw function, and Split on possible file starts option. There are many variations of Dicom files, and my program may not detect every variation - but feel free to give it a try.


   
ReplyQuote
(@a_kuiper)
Trusted Member
Joined: 16 years ago
Posts: 69
 

DICOM is most probably the most widely used image-format in medial image-processing but you will need a special viewer.

This might help http//www.sph.sc.edu/comd/rorden/dicom.html


   
ReplyQuote
ForensicRob
(@forensicrob)
Eminent Member
Joined: 20 years ago
Posts: 26
 

Michael,

The DICOM file standard is available at http//www.sph.sc.edu/comd/rorden/dicom.html. It clearly describes how the 128 byte header is followed by the magic ID/signature "DICM". If you have encountered variations, that require additional signatures/tags, then there must be some developers that aren't following the specification. Or, are you talking about variations in the footer signature?

Since Scalpel is free, and the person who asked the question has already collected the header and footer signatures for the variation of DICOM that they are using, I'd recommend that they try Scalpel first. Although $20 for your software isn't a bad price either, if it can find this person's variation of DICOM.

Rob


   
ReplyQuote
(@mscotgrove)
Prominent Member
Joined: 16 years ago
Posts: 940
 

I have seen DICOM files that do not have the DICM header as described in the documentation. These files do view in IrfanView.


   
ReplyQuote
(@research1)
Estimable Member
Joined: 16 years ago
Posts: 165
 

Encase allows you to input header and footers to search for file types(file finder).

You can also do a key word search for the header/footer and simple turn the results into 'image=true'.

L


   
ReplyQuote
pronie2121
(@pronie2121)
Estimable Member
Joined: 17 years ago
Posts: 117
Topic starter  

I have been successful in manually carving out the DICOM files from unallocated space, I did download a DICOM viewer and have been successful in viewing these carved files as well, but as it turns out there are thousands of them, so I feel that an automated process would be much easier as long as I can specify the header/footer. I will give the software a try, thanks for all the responses, I will also be trying EnCase to see how the file finder works out, thanks.


   
ReplyQuote
Page 1 / 2
Share: