Is there a way to get the actual names of files that are found from data carving in FTK? After using the data carving option, I found some pdf files but the names appear with the extension and random numbers, such as PDF_99722245[4].pdf. I looked at the file using a hex editor but could not see it. Perhaps I overlooked something. If anyone can shed some light on this it would be most appreciated.
My answer would be only if the name is stored in the metadata of the file you carved.
Remember the reason you are carving is that the file was not within existing or deleted files therefore not in any tables.
Mike
senordiablo,
The file name and other metadata such as file dates no longer exist as a directory entry in the file system, the pointer to the contents is also lost. Data carving scans unallocated space looking for header and possibly footer information of known file types and recovers that block of data, FTK gives the recovered file a name and these are numbers as you have described.
Alan
Is there a way to get the actual names of files that are found from data carving in FTK? After using the data carving option, I found some pdf files but the names appear with the extension and random numbers, such as PDF_99722245[4].pdf. I looked at the file using a hex editor but could not see it. Perhaps I overlooked something. If anyone can shed some light on this it would be most appreciated.