File carving overview
•Download as ODP, PDF•
0 likes•343 views
This is a draft presentation of a video lesson from the course "Digital forensics with Kali Linux" published by Packt Publishing in May 2017: https://www.packtpub.com/networking-and-servers/digital-forensics-kali-linux In these slides, we are going to cover file carving, introducing unallocated and slack disk space and how to extract and identify deleted files. Then we are going to cover the Windows Recycle Bin.
Recommended
More Related Content
What's hot
What's hot (19)
Similar to File carving overview
Similar to File carving overview (20)
More from Marco Alamanni
Recently uploaded
Recently uploaded (20)
File carving overview
- 1. Digital forensics with Kali Linux Marco Alamanni Section 4 File carving and data recovery www.packtpub.com
- 2. In this Section, we are going to take a look at… ● Introduction to file carving: unallocated and slack disk space, deleted files, Recycle Bin. ● File carving tools: Foremost, Scalpel and Photorec. ● Data extraction using Bulk-extractor
- 3. Course Name Author Name Video 4.1 File carving overview
- 4. In this Video, we are going to take a look at… ● Introduction to file slack and unallocated space, deleted files and the file carving process. • The Windows Recycle Bin and how to examine it with Rifiuti2.
- 5. Introduction to slack space ● Smallest addressable data units on filesystems are called blocks or clusters, that are usually 4 KB of size. • Files generally use various blocks, the last block being only partial ly used. • The space left between the end of the file’s data and the end of the block is called slack space. • Slack space can contain hidden data or remnants from previously deleted file.
- 6. Introduction to slack space
- 7. Deleted files and unallocated space ● When a file is deleted, the relative directory entry is removed but the entry in the file’s table remains. • The file’s allocated blocks become unallocated; they are marked as free but not modified until reallocated to other files. • The unallocated blocks’ contents could be recovered using The Sleuth Kit tools or data carving tools
- 8. Introduction to data carving ● Data carving is the process of identifying and extracting meaningful data out of the unallocated and slack space. • It relies on locating the magic number of a file and copying all the data until the end of file (EOF) marker is not found. • It is straightforward if the file’s data blocks are contiguous, could be challenging if the file is fragmented. • Algorithm for file carving that also handle fragmentation has been developed for data carving tools.
- 9. The Windows Recycle Bin ● On modern operating systems, deleted files are usually first moved to the Recycle Bin (on Windows) or analogous directory. • These files are permanently deleted if the Recycle Bin is emptied or can be restored in the original location. • On Windows XP and earlier deleted files are placed under C:Recycler subfolders, one for each user, and the relative information are stored in INFO2 index files. • On Windows Vista and newer deleted files are stored under C:$Recycle.Bin subfolders in files that begin with $I and $R.
- 10. Next Video File carving tools