Marco Alamanni, profile picture
Uploaded byMarco Alamanni
ODP, PDF1,298 views

File carving tools

The document discusses file carving tools used in digital forensics on Kali Linux, specifically focusing on how to recover deleted files using Sleuth Kit, Foremost, Scalpel, and PhotoRec. It outlines the basic functionality and configuration of each tool, highlighting that they extract files from raw disk sectors using file format headers and footers. Additionally, it provides links for further resources and describes the developer background of each tool.

Embed presentation

Downloaded 13 times
Digital forensics with Kali Linux Marco Alamanni Video 4.2 File carving tools
In this Video, we are going to take a look at… • How to recover deleted files with The Sleuth Kit. • How to recover deleted files using carving tools: Foremost, Scalpel and Photorec.
File carving tools ● Three CLI carving tools included by default on Kali Linux: Foremost, Scalpel and Photorec. ● These tools extract files from raw disk sectors. ● Use a database of headers and footers for several file formats. ● Also work on disk images. ● Sample image from the Digital Forensics Tool Testing Images page: http://dftt.sourceforge.net/
Foremost ● Foremost has been developed by Jesse Kornblum and Kris Kendall at the Air Force Office of Special Investigations and later updated by Nick Mikus of the Naval Postgraduate School. ● Default configuration file is /etc/foremost.conf. ● We edit it only to enable the recovery of formats not included in the default configuration.
Scalpel ● Scalpel is a rewrite of Foremost and the latest version available on Kali Linux is the 1.60. ● The latest version is the 2.0 and the source is available at The Sleuth Kit github repository: https://github.com/sleuthkit/scalpel ● The configuration file is /etc/scalpel/scalpel.conf ● Unlike Foremost, we have to edit the configuration file uncommenting all the file formats we want to recover.
Photorec ● PhotoRec has been developed by Christophe Grenier, the developer of TestDisk. ● Can recover many different file formats and has a text-based user interface like TestDisk. ● Photorec web page provides valuable information on how the program works and how to use it: http://www.cgsecurity.org/wiki/PhotoRec
Next Video Extracting data with Bulk Extractor

More Related Content

PPTX
Forensic imaging
byDINESH KAMBLE
 
ODP
Introduction to forensic imaging
byMarco Alamanni
 
PPTX
Forensic imaging tools
byDr. Richard Adams
 
PDF
Accessing Forensic Images
byCTIN
 
PDF
Memory Analysis of the Dalvik (Android) Virtual Machine
byAndrew Case
 
PDF
Linux Memory Analysis with Volatility
byAndrew Case
 
PDF
(120513) #fitalk an introduction to linux memory forensics
byINSIGHT FORENSIC
 
PDF
Windows Memory Forensic Analysis using EnCase
byTakahiro Haruyama
 
Forensic imaging
byDINESH KAMBLE
 
Introduction to forensic imaging
byMarco Alamanni
 
Forensic imaging tools
byDr. Richard Adams
 
Accessing Forensic Images
byCTIN
 
Memory Analysis of the Dalvik (Android) Virtual Machine
byAndrew Case
 
Linux Memory Analysis with Volatility
byAndrew Case
 
(120513) #fitalk an introduction to linux memory forensics
byINSIGHT FORENSIC
 
Windows Memory Forensic Analysis using EnCase
byTakahiro Haruyama
 

What's hot

PPTX
Memory forensics
bySunil Kumar
 
PDF
Next Generation Memory Forensics
byAndrew Case
 
PPTX
Module 02 ftk imager
byParminderKaurBScHons
 
PDF
Encase V7 Presented by Guidance Software august 2011
byCTIN
 
PPT
Linux forensics
bySantosh Khadsare
 
PPTX
Forensic Memory Analysis of Android's Dalvik Virtual Machine
bySource Conference
 
PPT
Windowsforensics
bySantosh Khadsare
 
ODT
Operating System Forensics
byArunJS5
 
PDF
Dfrws eu 2014 rekall workshop
byTamas K Lengyel
 
PPT
Linux Forensics
bySantosh Khadsare
 
PPT
Digital Forensic Tools - Application Specific.
byguestcf6f5b
 
PDF
De-Anonymizing Live CDs through Physical Memory Analysis
byAndrew Case
 
PPTX
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
byAndrew Case
 
PPTX
Open Source Forensics
byCTIN
 
PDF
Forensics of a Windows System
byConferencias FIST
 
PDF
Workshop - Linux Memory Analysis with Volatility
byAndrew Case
 
PPTX
Autopsy Digital forensics tool
bySreekanth Narendran
 
PPTX
Msra 2011 windows7 forensics-troyla
byCTIN
 
PPS
intro to forensics
byPardhasaradhi ch
 
PPTX
Leveraging NTFS Timeline Forensics during the Analysis of Malware
bytmugherini
 
Memory forensics
bySunil Kumar
 
Next Generation Memory Forensics
byAndrew Case
 
Module 02 ftk imager
byParminderKaurBScHons
 
Encase V7 Presented by Guidance Software august 2011
byCTIN
 
Linux forensics
bySantosh Khadsare
 
Forensic Memory Analysis of Android's Dalvik Virtual Machine
bySource Conference
 
Windowsforensics
bySantosh Khadsare
 
Operating System Forensics
byArunJS5
 
Dfrws eu 2014 rekall workshop
byTamas K Lengyel
 
Linux Forensics
bySantosh Khadsare
 
Digital Forensic Tools - Application Specific.
byguestcf6f5b
 
De-Anonymizing Live CDs through Physical Memory Analysis
byAndrew Case
 
Memory Forensics: Defeating Disk Encryption, Skilled Attackers, and Advanced ...
byAndrew Case
 
Open Source Forensics
byCTIN
 
Forensics of a Windows System
byConferencias FIST
 
Workshop - Linux Memory Analysis with Volatility
byAndrew Case
 
Autopsy Digital forensics tool
bySreekanth Narendran
 
Msra 2011 windows7 forensics-troyla
byCTIN
 
intro to forensics
byPardhasaradhi ch
 
Leveraging NTFS Timeline Forensics during the Analysis of Malware
bytmugherini
 

Viewers also liked

PPTX
Windows nt istallation
byHarleen Johal
 
PDF
Windows logging cheat sheet
byMichael Gough
 
PPTX
WinFE: The (Almost) Perfect Triage Tool
byBrent Muir
 
PPTX
Citrix
byYansi Keim
 
PDF
Windows 7-cheat-sheet
byWilliam McIntosh
 
PPT
Level1 Part8 End Of The Day
byCTIN
 
PDF
Ntfs forensics
byn|u - The Open Security Community
 
PPT
Corporate Public Investigations
byCTIN
 
PPTX
Facebook Forensics Toolkit(FFT)
byShuvo Sarker
 
PPT
July132000
byCTIN
 
PDF
Digital Forensic: Brief Intro & Research Challenge
byAung Thu Rha Hein
 
PDF
Social Media for Investigations Tools
byMandy Jenkins
 
PPTX
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
byBasis Technology
 
PDF
Digital forensic upload
bySetia Juli Irzal Ismail
 
PDF
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
byOWASP Turkiye
 
PPTX
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
byBasis Technology
 
PDF
Using and Developing with Open Source Digital Forensics Software in Digital A...
byMark Matienzo
 
PDF
Disk forensics
byChiawei Wang
 
PDF
Windows 8.x Forensics 1.0
byBrent Muir
 
PPT
G Infomgnt
byCTIN
 
Windows nt istallation
byHarleen Johal
 
Windows logging cheat sheet
byMichael Gough
 
WinFE: The (Almost) Perfect Triage Tool
byBrent Muir
 
Citrix
byYansi Keim
 
Windows 7-cheat-sheet
byWilliam McIntosh
 
Level1 Part8 End Of The Day
byCTIN
 
Ntfs forensics
byn|u - The Open Security Community
 
Corporate Public Investigations
byCTIN
 
Facebook Forensics Toolkit(FFT)
byShuvo Sarker
 
July132000
byCTIN
 
Digital Forensic: Brief Intro & Research Challenge
byAung Thu Rha Hein
 
Social Media for Investigations Tools
byMandy Jenkins
 
OSDF 2013 - Autopsy 3: Extensible Desktop Forensics by Brian Carrier
byBasis Technology
 
Digital forensic upload
bySetia Juli Irzal Ismail
 
[OWASP-TR Mobil Güvenlik Çalıştayı 2015] Yalçın Çakmak - Social Media Apps Fo...
byOWASP Turkiye
 
Autopsy 3: Free Open Source End-to-End Windows-based Digital Forensics Platform
byBasis Technology
 
Using and Developing with Open Source Digital Forensics Software in Digital A...
byMark Matienzo
 
Disk forensics
byChiawei Wang
 
Windows 8.x Forensics 1.0
byBrent Muir
 
G Infomgnt
byCTIN
 

Similar to File carving tools

PPTX
REMnux tutorial-2: Extraction and decoding of Artifacts
byRhydham Joshi
 
ODP
File carving overview
byMarco Alamanni
 
PPTX
Understanding memory in computing part 2.pptx
byPravash Chandra Das
 
PPTX
6_the_Sleuth_Kit_Tutorial powerpoint.pptx
bynou20210132
 
PPTX
Sleuth_Kit_Tutorial powerpoint 123 .pptx
bynou20210132
 
PPTX
Advances in File Carving
byRob Zirnstein
 
REMnux tutorial-2: Extraction and decoding of Artifacts
byRhydham Joshi
 
File carving overview
byMarco Alamanni
 
Understanding memory in computing part 2.pptx
byPravash Chandra Das
 
6_the_Sleuth_Kit_Tutorial powerpoint.pptx
bynou20210132
 
Sleuth_Kit_Tutorial powerpoint 123 .pptx
bynou20210132
 
Advances in File Carving
byRob Zirnstein
 

Recently uploaded

PDF
Attendance Dashboard – Time & Attendance Analytics
byHajir Pro
 
PDF
apidays Amsterdam 2025 | Making AI work for you as an API Product Manager
byapidays
 
PDF
Monitoring your MySQL Server's Health Trends
byIgor Donchovski
 
PPTX
Edison MuleSoft Meetup : Vibe Coding | MuleSoft Meetups
bySravan Lingam
 
PDF
On Demand Grocery Delivery App Development.pdf
byV3CUBE TECHNOLABS
 
PDF
Water Delivery App Development Solutions.pdf
byeSiteWorld TechnoLabs Pvt. Ltd.
 
PDF
Artificial Intelligence Planning (Harinath Palavalli)
byHarinath Palavalli
 
PDF
2026 Safety Roadmap: Systems, Skills, and Scale for EHS Leaders
byTECH EHS Solution
 
PDF
20260201 [FOSDEM] gomodjail - library sandboxing for Go modules.pdf
byAkihiro Suda
 
PDF
Physiotherapist App Development for Modern Rehabilitation
byV3CUBE TECHNOLABS
 
PDF
AI-native development: from Prompt to Platform
byMaxim Salnikov
 
PDF
The Growing Impact of Blockchain and Web3 on Digital Ownership With Paul Inou...
byPaul Inouye
 
PDF
Azure DevOps Services: Complete Guide to DevOps Tools, Automation & End-to-En...
byjohncarterjn
 
PDF
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
PDF
Windows Server 2025 Administration Fundamentals 4ED
byraynasolomon136
 
PPTX
Salesforce Spring '26 Release presentation - Melbourne Salesforce User Group
byAnne N
 
PPTX
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
PPTX
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
PDF
Why I Volunteer at FOSDEM and You Should Too
byImma Valls Bernaus
 
PPTX
HackYourBrain_JFokusConference_03022026.pptx
bySimonedeGijt
 
Attendance Dashboard – Time & Attendance Analytics
byHajir Pro
 
apidays Amsterdam 2025 | Making AI work for you as an API Product Manager
byapidays
 
Monitoring your MySQL Server's Health Trends
byIgor Donchovski
 
Edison MuleSoft Meetup : Vibe Coding | MuleSoft Meetups
bySravan Lingam
 
On Demand Grocery Delivery App Development.pdf
byV3CUBE TECHNOLABS
 
Water Delivery App Development Solutions.pdf
byeSiteWorld TechnoLabs Pvt. Ltd.
 
Artificial Intelligence Planning (Harinath Palavalli)
byHarinath Palavalli
 
2026 Safety Roadmap: Systems, Skills, and Scale for EHS Leaders
byTECH EHS Solution
 
20260201 [FOSDEM] gomodjail - library sandboxing for Go modules.pdf
byAkihiro Suda
 
Physiotherapist App Development for Modern Rehabilitation
byV3CUBE TECHNOLABS
 
AI-native development: from Prompt to Platform
byMaxim Salnikov
 
The Growing Impact of Blockchain and Web3 on Digital Ownership With Paul Inou...
byPaul Inouye
 
Azure DevOps Services: Complete Guide to DevOps Tools, Automation & End-to-En...
byjohncarterjn
 
apidays Australia 2025 | Build Your First MCP Server with Postman Flows
byapidays
 
Windows Server 2025 Administration Fundamentals 4ED
byraynasolomon136
 
Salesforce Spring '26 Release presentation - Melbourne Salesforce User Group
byAnne N
 
Best Digital Marketing Company in Lucknow
bydigitallearning9277
 
GraphQL Day Paris 2025 | Bringing DevOps to GraphQL with the Apollo GraphOS O...
byapidays
 
Why I Volunteer at FOSDEM and You Should Too
byImma Valls Bernaus
 
HackYourBrain_JFokusConference_03022026.pptx
bySimonedeGijt
 

File carving tools

  • 1.
    Digital forensics withKali Linux Marco Alamanni Video 4.2 File carving tools
  • 2.
    In this Video,we are going to take a look at… • How to recover deleted files with The Sleuth Kit. • How to recover deleted files using carving tools: Foremost, Scalpel and Photorec.
  • 3.
    File carving tools ● ThreeCLI carving tools included by default on Kali Linux: Foremost, Scalpel and Photorec. ● These tools extract files from raw disk sectors. ● Use a database of headers and footers for several file formats. ● Also work on disk images. ● Sample image from the Digital Forensics Tool Testing Images page: http://dftt.sourceforge.net/
  • 4.
    Foremost ● Foremost has beendeveloped by Jesse Kornblum and Kris Kendall at the Air Force Office of Special Investigations and later updated by Nick Mikus of the Naval Postgraduate School. ● Default configuration file is /etc/foremost.conf. ● We edit it only to enable the recovery of formats not included in the default configuration.
  • 5.
    Scalpel ● Scalpel is arewrite of Foremost and the latest version available on Kali Linux is the 1.60. ● The latest version is the 2.0 and the source is available at The Sleuth Kit github repository: https://github.com/sleuthkit/scalpel ● The configuration file is /etc/scalpel/scalpel.conf ● Unlike Foremost, we have to edit the configuration file uncommenting all the file formats we want to recover.
  • 6.
    Photorec ● PhotoRec has beendeveloped by Christophe Grenier, the developer of TestDisk. ● Can recover many different file formats and has a text-based user interface like TestDisk. ● Photorec web page provides valuable information on how the program works and how to use it: http://www.cgsecurity.org/wiki/PhotoRec
  • 7.
    Next Video Extracting datawith Bulk Extractor