I'm trying to get more information on a methodology for carving a file out of an image that a forensic tool was unable to carve out. Any resources/ references would be greatly appreciated.
What sort of file is it and do you know why the forensic tool was unable to find it?
I'm trying to get more information on a methodology for carving a file out of an image that a forensic tool was unable to carve out. Any resources/ references would be greatly appreciated.
A rather basic method would be based on syntactic (and perhaps even semantic) structures. You essentially build a parser for the file type you want to carve, start it on the initial sector/cluster, and let it process until it hits the end of the block. At that point the parser is in some syntactic state, implying a grammatical context. Next find all unallocated sectors/clusters that commence with something that fits that structure (syntactically and semantically), and do trial parses on each of them. If the parser blocks due to syntactical or semantical inconsistencies, forget the block – it can't be part of the file. At this point you have one starting block + N continuation blocks that 'make sense'. At each branch end, keep going in the same manner, until you hit a end-of-file indication (explicit or implicit). That is a candidate file. Depending on the file type you may either stop or keep going, collecting all candidates. (If there is no continuation, you may decide you have a partial recovery, and report that, of course.)
You'll need rather strong syntax, though weakly described files may produce so many candidates that you can't select between them.
This might be of use
http//
jaclaz
As joethomas asked, what type of file is it?
There are many files that standard carving programs will not find, eg .dat , .txt or ones for very specific applications
My approach would be to use a hex editor and do some manual searching. If the file type has a unique signature, then it may be easy to find (and some carving tools will allow you add the signature). Otherwise, try and find a string 'unique' to that file. If it is text, maybe a text string.
You do not say if you are after a single file, or several/many files of a specific type.
I'm trying to get more information on a methodology for carving a file out of an image that a forensic tool was unable to carve out. Any resources/ references would be greatly appreciated.
If you want a good answer, you perhaps need to ask a better question.
Useful information you could provide may include
- Type of file? Extension?
- Expected size of file, if known
- Are you carving from unallocated?
- What tools have you used? How did you search for it?
- Is it possibly encrypted?
- Is it possibly in an archive?
- What's your budget? Or can you only use free solutions?
As joethomas asked, what type of file is it?
There are many files that standard carving programs will not find, eg .dat , .txt or ones for very specific applications
My approach would be to use a hex editor and do some manual searching. If the file type has a unique signature, then it may be easy to find (and some carving tools will allow you add the signature). Otherwise, try and find a string 'unique' to that file. If it is text, maybe a text string.
You do not say if you are after a single file, or several/many files of a specific type.