Notifications

Clear all

Scalpel only carves thumbnails?

NervsOfSteel · 2012-04-06T20:20:59Z

Hi. I want (need) to use Scalpel to carve out 10 jpg images from a dd image. The problem is that Scalpel only carves out thumbnails and not the full size ones. Why is that? This is my approach I copied the jpg signature information from the config file to another file called jpg.conf. I then uncomment the signature lineTo start Scalpel i use this commandsudo scalpel -c /home/……/jpg.conf /home/……./Dataset 1.001 -o /home/…./Result Scalpel then starts to search through the dd image and only outputs thumbnails. I've tried to shorten the header signature and add new ones, but that only results in more thumbnails.Am i doing something wrong?

Page 2 / 2 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by jonstewart 13 years ago

14 Posts

7 Users

0 Reactions

1,903 Views

RSS

NervsOfSteel

(@nervsofsteel)

Active Member

Joined: 13 years ago

Posts: 6

Topic starter 18/04/2012 11:05 pm

I have now made some tests with EnCase 6 and it performed pretty much the same as Scalpel did. This made me think of why EnCase also did perform this badly.
I've come up to that it's probably the footers "fault". Because the footer is short (FF D9) it will produce a false hit. When using a header/footer based file carver, the carver may detect the footer signature before the end of the actual file, which will result in a corrupt file and only viewable thumbnails.
I made a quick search of the footer signature in FTK imager and indeed i found it in multiple places in the jpgs.

Can somebody confirm my theory or am i way off?

ReplyQuote

mscotgrove

(@mscotgrove)

Prominent Member

Joined: 17 years ago

Posts: 940

19/04/2012 2:02 am

I have seen valid JPEGs with 3 images - thumbnail, small image and full image. Each image will end with 0xff 0xd9.

I think carving is best based on file start, and then verification to find the end, rather than a fixed end flag.

Consider when the image is fragmented, the file will not end, but a new one may well start. Concentrate on the new one and truncate the partial one..

For many files the length is not too important if it is too long.

ReplyQuote

joachimm

(@joachimm)

Estimable Member

Joined: 17 years ago

Posts: 181

29/06/2012 11:53 am

I have now made some tests with EnCase 6 and it performed pretty much the same as Scalpel did. This made me think of why EnCase also did perform this badly.
I've come up to that it's probably the footers "fault". Because the footer is short (FF D9) it will produce a false hit. When using a header/footer based file carver, the carver may detect the footer signature before the end of the actual file, which will result in a corrupt file and only viewable thumbnails.
I made a quick search of the footer signature in FTK imager and indeed i found it in multiple places in the jpgs.

Can somebody confirm my theory or am i way off?

It's not the footers fault, it's the basic approach scalpel uses; last time I checked Encase as well. It only looks at the beginning an some imaginary unique identifier of an end (footer). Whereas the thumbnail is also a JPEG and the carver does not take that into account. There are far better ways to carve, especially JPEGs ; e.g. adroit photo recovery. Also see DFRWS 2006 and 2007 carving challenge results.

ReplyQuote

jonstewart

(@jonstewart)

Eminent Member

Joined: 16 years ago

Posts: 47

24/07/2012 7:49 pm

Well, this is frustrating. EnCase's File Finder script used to have no problems whatsoever dealing with thumbnails.

Jon

ReplyQuote

Page 2 / 2 Prev

8 Forums
15.7 K Topics
92.3 K Posts
211 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed