Forums
Main Category
General (Technical,...
data carving tools
 
Notifications
Clear all

data carving tools

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by chrism 8 years ago
6 Posts
5 Users
0 Reactions
2,700 Views
RSS
 weresmytriple
(@weresmytriple)
Active Member
Joined: 9 years ago
Posts: 8
Topic starter 07/06/2017 1:41 am  

hi i have an E01 file and need to carve some general documents like .docx .xslx .jpeg and so on does any one know of any open source carving tools i have tried scalpel and autospy just crashes due to the size of the image

thanks


   
Quote
jpickens
 jpickens
(@jpickens)
Estimable Member
Joined: 18 years ago
Posts: 130
07/06/2017 2:00 am  

How big is the image and how much RAM and Disk space do you have?

Image carving may need lots of temp space as well as additional export space depending on the size of the image and/or unallocated space.

Also you may want to look at any config parameters in your carving requirements like max export size to help prevent from carving chunks that are too large.


   
ReplyQuote
 weresmytriple
(@weresmytriple)
Active Member
Joined: 9 years ago
Posts: 8
Topic starter 07/06/2017 2:16 am  

i have 16 GB ram

500GB SSD
2TB data drive
1TB back up drive

Disk image orginally 2TB compression 9 whiles imaging it = 254,731,437 KB


   
ReplyQuote
JaredDM
 JaredDM
(@jareddm)
Estimable Member
Joined: 9 years ago
Posts: 118
07/06/2017 3:24 am  

I would just use ImDisk to mount the Encase image, then you can use all sorts of file carving software against it. My favorite is R-Studio because you can create your own custom XML file signatures for any types not already supported. But, that's not a free option.

As a free option you can try photorec which comes with testdisk from CGSecurity. Or you can try one of the other free data recovery tools such as Recuva Free.


   
ReplyQuote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
07/06/2017 2:48 pm  

Also - as a side note - since you are doing "carving from RAW" there is not any problem in making segments of the image and analyze each separately.

Of course you may "lose" 1 document (hypothetically carvable) that happens to lie where you make the division in two segment, while 2 Tb may be "a lot", you could use 4 segments, I am pretty sure that scalpel can deal with a 512 Gb segment, so all in all at the most you risk to not find 3 files, and you can anyway make a further three - say - 10 Gb segments covering 5 Gb before and 5 Gb after the dividing point and analyze those.

@jaredDM
I would rather use the Arsenal Image Mounter (that mounts the whole disk), instead of IMDISK (that can only mount volume(s)).
The Author, is the same Olof Lagerkvist, that developed for Arsenal Recon the new Image Mounter exactly because IMDISK had some limitations for forensic use
https://arsenalrecon.com/apps/image-mounter/

jaclaz


   
ReplyQuote
 chrism
(@chrism)
Trusted Member
Joined: 16 years ago
Posts: 97
07/06/2017 4:00 pm  

I would use bulk_extractor myself. Try it against the EWF image and the mounted image.

Or try Foremost against the raw image. Usage example

root@kali~# foremost -t doc,jpg,pdf,xls -i image.dd
Processing image.dd
|*|
root@kali~# ls output/
audit.txt jpg pdf


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: