Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
FILE CARVING
WHAT IS FILE CARVING??
File Carving is the process of reassembling computer files from
fragments in the absence of file sy...
COMPUTER FORENSICS
ComputerForensics is a branch of digital forensic science
pertaining to legal evidence found in compute...
HOW THE DATA IS HIDDEN??
Deleting A File
 Sends the file to Windows Recycle Bin
 Undeleted tools depend on the deleted ...
5
FILE RECOVERY VS. FILE CARVING
FILE RECOVERY
• File recovery techniques make
use of the file system information
that remai...
HOW FILE CARVING WORKS??
File carving is a powerful technique for recovering files and fragments
of files when directory ...
EXAMPLE OF A FILE STRUCTURE
8
9
File Header
File Footer
FILE CARVING ASSUMPTIONS
The files searched for are not fragmented.
The beginning of the file is still present.
The sig...
WHAT IF FRAGMENTATION OCCURS??
As files are edited, modified and deleted, most hard drives get
fragmented.
Also depends ...
BASIC CARVING SCHEMES
• BiFragment Gap Recovery
• Given by Simson L. Garfinkel, a noted authority in computer forensics fi...
BIFRAGMENT GAP RECOVERY
13
BIFRAGMENT GAP RECOVERY(CONTD.)
Simson L. Garfinkel estimated that upto 58% of outlook, 17% of jpegs
and 16% of MS-Word f...
SMART CARVING
Can work on fragmented and non fragmented data.
Wide variety of file types supported.
Preprocessing
 Dat...
SMART CARVING(PREPROCESSING)
Compressed and encrypted drive are decrypted/decompressed in this
stage.
Removing known clu...
SMART CARVING(COLLATING)
Classifies the disk clusters as belonging to certain file types.
Reduces the cluster pool in re...
SMART CARVING(REASSEMBLY)
Reassembly can be done by
 Finding the starting fragment of a file that contains the header.
...
FILE CARVING TAXONOMY
• Block Based Carving
• Statistical Carving
• Header/Footer Carving
• Header/Maximum File Size
Carvi...
FILE CARVING TOOLS
Foremost - Originally designed by the US Air Force, it is a carver
designed for recovering files based...
FILE CARVING TOOLS(CONTD.)
Photorec - Photorec is a
data recovery software tool
designed to recover lost files
from digit...
FUTURE TOOLS
• Carver2.0
• Open Source, in the early specification stages
• File Harvester
• Combination of multiple metho...
CONCLUSION
File Carving has revolutionized the computer forensics field by enabling
law enforcement to dig out various dig...
24
25
Upcoming SlideShare
Loading in …5
×

File Carving

4,932 views

Published on

An Introduction to File Carving and its techniques used in computer forensics....

Published in: Technology
  • I like this service ⇒ www.HelpWriting.net ⇐ from Academic Writers. I don't have enough time write it by myself.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Dating direct: ❤❤❤ http://bit.ly/39pMlLF ❤❤❤
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Follow the link, new dating source: ❶❶❶ http://bit.ly/39pMlLF ❶❶❶
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

File Carving

  1. 1. FILE CARVING
  2. 2. WHAT IS FILE CARVING?? File Carving is the process of reassembling computer files from fragments in the absence of file system metadata. It is the process of extracting a collection of data from a larger data set. Data carving techniques frequently occur during a digital investigation under ComputerForensics when the unallocated file system space is analysed to extract files. The files are “carved” from the unallocated space using file type-specific header and footer values. 2
  3. 3. COMPUTER FORENSICS ComputerForensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computerforensics is to examine digital media in a forensically sound mannerwith the aimof identifying, preserving, recovering, analysing and presenting facts and opinions about the digital information. 3
  4. 4. HOW THE DATA IS HIDDEN?? Deleting A File  Sends the file to Windows Recycle Bin  Undeleted tools depend on the deleted directory entry • That can be deleted or overwritten too • Then there is no undeleting possible Store Files in a TrueCrypt/VeraCrypt/CipherShed Volume  Undetected as a file(except for My tools)  Looks like random data in unallocated space 4
  5. 5. 5
  6. 6. FILE RECOVERY VS. FILE CARVING FILE RECOVERY • File recovery techniques make use of the file system information that remains after deletion of a file. • For this technique to work, the file system information needs to be correct. If not, the files can’t be recovered. FILE CARVING • Carving deals with the raw data on the media. • Carving doesn’t care about which file system is used to store the files. 6
  7. 7. HOW FILE CARVING WORKS?? File carving is a powerful technique for recovering files and fragments of files when directory entries are corrupt or missing. Every file type has its specific header and footer values. In File Carving, raw data is searched block by block for residual data matching the file type-specific header and footer values. As long as data is not overwritten or wiped, deleted data on all storage devices can be restored using carving techniques, including multifunctional devices and even mobile phones. 7
  8. 8. EXAMPLE OF A FILE STRUCTURE 8
  9. 9. 9 File Header File Footer
  10. 10. FILE CARVING ASSUMPTIONS The files searched for are not fragmented. The beginning of the file is still present. The signature being searched for is not a common string, which could cause numerous false positives. The blocks of data searched one at a time are mostly 512 bytes in size. 10
  11. 11. WHAT IF FRAGMENTATION OCCURS?? As files are edited, modified and deleted, most hard drives get fragmented. Also depends on allocation methodology of file system. Fragmentation in forensically important files like email, WORD document etc. is high. Why??  Because of constant editing, deletion and addition PST files are most fragmented. 11
  12. 12. BASIC CARVING SCHEMES • BiFragment Gap Recovery • Given by Simson L. Garfinkel, a noted authority in computer forensics field. • He proposed that a high percentage of files were saved in two separate fragments, i.e., bifragment. • SmartCarving • Introduced by A. Pal, N. Memon. T. Sencar and K. Shanmugasundaram. • It is used to carve out files which is divided into many fragments. 12
  13. 13. BIFRAGMENT GAP RECOVERY 13
  14. 14. BIFRAGMENT GAP RECOVERY(CONTD.) Simson L. Garfinkel estimated that upto 58% of outlook, 17% of jpegs and 16% of MS-Word files are fragmented and, therefore, appear corrupted or missing to a user using traditional data carving. A. Pal, N. Memon. T. Sencar and K. Shanmugasundaram have introduced a technique called SmartCarving that can recover fragmented files. 14
  15. 15. SMART CARVING Can work on fragmented and non fragmented data. Wide variety of file types supported. Preprocessing  Data clusters are decrypted or decompressed. Collating  Classification of cluster to various file types. Reassembly  Reassemble the blocks in sequences that match their file type. 15
  16. 16. SMART CARVING(PREPROCESSING) Compressed and encrypted drive are decrypted/decompressed in this stage. Removing known clusters from the disk based on file system meta- data.  Helps increase the speed and reduce the amount of data for next phases. Allocated files and Operating system specific data can be pruned since it doesn’t have any use in forensics. 16
  17. 17. SMART CARVING(COLLATING) Classifies the disk clusters as belonging to certain file types. Reduces the cluster pool in recovery of file of each type. Keyword/Pattern Matching  Looking for sequences to determine the type of cluster.  E.g. <html> tags in a cluster collates to html file. ASCII characters frequency  High frequency of these indicate that data is non Video or Image. 17
  18. 18. SMART CARVING(REASSEMBLY) Reassembly can be done by  Finding the starting fragment of a file that contains the header.  Merging clusters belonging to same fragment.  Finding the fragmentation point i.e. the last cluster in current segment.  Starting point of next fragment.  Ending point of last fragment. Last cluster containing the footer. 18
  19. 19. FILE CARVING TAXONOMY • Block Based Carving • Statistical Carving • Header/Footer Carving • Header/Maximum File Size Carving • Header/Embedded Length Carving • File Structure Based Carving • Semantic Carving • Carving with Validation • Fragment Recovery Carving • Repackaging Carving • Hash Carving • Fuzzy Hash Carving 19
  20. 20. FILE CARVING TOOLS Foremost - Originally designed by the US Air Force, it is a carver designed for recovering files based on their headers, footers, and internal data structures. Scalpel - Scalpel is a rewrite of Foremost focused on performance and a decrease of memory usage. It uses a database of header and footer definitions and extracts matching files from a set of image files or raw device files. 20
  21. 21. FILE CARVING TOOLS(CONTD.) Photorec - Photorec is a data recovery software tool designed to recover lost files from digital camera storage, hard disks, and CD-ROMs using a FTK(Forensic ToolKit) imager.  It recovers most common photo formats, audio files, document formats, such as Microsoft Office, PDF, HTML, and archive/compression formats. 21
  22. 22. FUTURE TOOLS • Carver2.0 • Open Source, in the early specification stages • File Harvester • Combination of multiple methods: Block Based Carving, Statistical Carving, Header/Footer Carving, Header/Embedded Length Carving, File Structure Based Carving, Fragment Recovery Carving, Repackaging Carving (Phase 3), SmartCarving, Fuzzy Hash Carving 22
  23. 23. CONCLUSION File Carving has revolutionized the computer forensics field by enabling law enforcement to dig out various digital evidence which were earlier inaccessible with the help of earlier means. New technologies & techniques in File Carving are making it easier to recover data with more accuracy and efficiency. File Carving is still a developing area of computer forensics and has made further inroads in the recovery of ephemeral data from mobile phones as evidence. 23
  24. 24. 24
  25. 25. 25

×