Over the past several months I have not been on the forums I have been diligently creating a new Carving Engine now called Guardian. The program was initially created to just recover files in a hopefully timely manor, however I have since then optimized the speed to match scalpel and in some cases beat scalpel. The program is very accurate and will even recover exif camera formats (for some reason Scalpel always failed me there) Below is a screenshot of a working build of Guardian
Features of the Guardian Carving engine
-Does not use scalpel or any other program besides itself
-Md5's the files as they are analyzed
-Does not output the entire collection of the carve but provides a preview so the investigator can remove files and only output evidence when needed.
-Contains my MD5 Database to remove known Benign files on the fly.
-Can save and load the analysis list to examine key evidence at a later date if needed rather than having to re-carve the entire image.
I also Implemented a String Search Engine into Guardian aswell,
Below is a Screenshotme there) Below is a screenshot of a working build of Guardian
Features
-Gives a Preview of the text around the searched term in the listed results allowing for the investigator to quickly sort through what is useful and what is not.
-Provides a full view of the text in a given window set by the controls at the bottom of the document\paragraph the text came from.
- again with above the user can save the search results to a save file and load it at a later date to either present, or obtain additional data.
The reason I am posting is to ask for suggestgens, and any features that would make the program even better, I do not have a demo availible so I its difficult to recommend features based on pictures alone. However this program is my passion and I wish to make it greator. I am thinking of posting a video of the program in action so you can see exactly how fast it is on my website. Please let me know of any comments, concerns or ideas that will help make this program better and please also take the poll question, I am good friends with Mitchell Machor and we are thinking of combining a few of our programs. Let me know what you all think D
Thanks for the posts in adavance
Ryan Manley
Xabersoft
xaberx,
does this work with NTFS images? Just wondering given your recent post about learning NTFS.
Yes it works on all raw image formats however I am looking into showing a image files Directory Structure kinda like FTK imager does. this program will read an image at the byte level regardless of file system.
Learning NTFS would be a big help in carving fragmented files. I'd guess you aren't getting as many files as you could…….
It actually is a small test image, when a drive is imaged the data is stored in byte format, jpgs and other images have headers which are specific sets of bytes that mark the beginning of the file. regardless of the files system it will still have the same headers and footers (unless altered) for that format. so it doesn't matter in this case that it was a ntfs or fat drive. the program reads the image equally…….because this was a test image there were not many images on the drive, however after using my md5 database i was able to clear many of the benign out before taking the screen. Thanks for the questions however.
Learning NTFS would be a big help in carving fragmented files. I'd guess you aren't getting as many files as you could…….
xaberx,
Carving files based on the header and footer alone will only help you if you the file was stored in a contiguous amount of space. If the file was fragmented, then the only way you can carve all of it is by following the entries in the FAT/MFT to locate each cluster the file has been stored in.
Jeff
I didnt see the part about fragmented files…Its been a long day I am looking into the file system to try and show the directory structure. Sorry for the above I was half awake. The book FIle Systems Analysis is very useful to me on this matter just I have to find a way to interpret $mft for this purpose and advanced carving purposes.
Thanks all how do you like the program interface?
xaberx,
you mention that your proprietary carving engine is better (faster and more accurate) than others. Can you tell me in what way it is more accurate?
Do you find files that Scalpel, FTK, EnCase and X-Ways miss? Or do you get less false hits? I'm curious how you've been able to "out program" the big companies.
Thanks.
it is faster and more accurate for the following reasons
1. it uses a buffer approach to load a large amount of the drive into ram causing the analysis to be faster than that of scalpel when looking for headers, this improves speed as scalpel simply goes through the image continuously, using array bursts speeds this up considerably,
2 the program does not carve all files out but mearly keeps track of thier locations so that the preview can be rendered on single files saving space.
3. it uses md5 databases to remove known benign files from the list in a matter of minutes as all files are hashed upon analysis(unless opted out). this removes known OS files.
4. Scalpel will not carve out Exif formats, I do not know why this is so but every attempt to carve out exif's have failed with scalpel even when shortening the header. my program is not as picky and retrieves the exif jpg formats.
5. the program also has a string search engine that is faster than sector spy. and gives a preview of the text around the string to improve searching for potential key words/evidence.
I have only pitted this program against scalpel and sector spy and in both times my program was faster on both an 80gb image and a 1gb flash image as seen above. though there weren't many files on the 1gb flash.
I believe the buffer method is what makes it faster however high system requirements are very helpful. (like 2-3gb ram). my test machine has 8gb ram, Vista64bit. (everything runs nicely on 64bit) I have verified my program against scalpel and achieved the same results in less time and for some reason I get less junk. I dont see how this happens but it appears the gremlins are working in my favor, I didnt list the less junk files above as my code does not explain this feature yet(it may be a problem with scalpel or my program having a nice side effect feature). Either way in both scalpel and sector spy tests my program is faster and has less junk(though i still dont know why) and it gives a preview of string searching.
I will also be adding a feature to separate evidence\desired files from the main carve list to make it easier to process the data as well. Please keep up the posts. I am looking for any way to make it better as well. I do not have a public version yet as it is undergoing so many alteration that I revise it daily to make it smoother in operation.
Thanks
Ryan
Did you try it against Adroit Photo Forensics? It does many of the things you list. Download it from http//