file carving
TRANSCRIPT
FILE CARVING
WHAT IS FILE CARVING??
File Carving is the process of reassembling computer files
from fragments in the absence of file system metadata.
It is the process of extracting a collection of data from a larger data set. Data carving techniques frequently occur during a digital investigation under Computer Forensics when the unallocated file system space is analysed to extract files.
The files are “carved” from the unallocated space using file type-specific header and footer values.
2
COMPUTER FORENSICS
Computer Forensics is a branch of digital forensic
science pertaining to legal evidence found in computers and digital storage media.
The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analysing and presenting facts and opinions about the digital information.
3
HOW THE DATA IS HIDDEN??
Deleting A File Sends the file to Windows Recycle Bin
Undeleted tools depend on the deleted directory entry
• That can be deleted or overwritten too
• Then there is no undeleting possible
Store Files in a TrueCrypt/VeraCrypt/CipherShed Volume Undetected as a file(except for My tools)
Looks like random data in unallocated space
4
5
FILE RECOVERY VS. FILE CARVING
FILE RECOVERY
• File recovery techniques make use of the file system information that remains after deletion of a file.
• For this technique to work, the file system information needs to be correct. If not, the files can’t be recovered.
FILE CARVING
• Carving deals with the raw data on the media.
• Carving doesn’t care about which file system is used to store the files.
6
HOW FILE CARVING WORKS??
File carving is a powerful technique for recovering files and fragments of files when directory entries are corrupt or missing.
Every file type has its specific header and footer values. In File Carving, raw data is searched block by block for residual data matching the file type-specific header and footer values.
As long as data is not overwritten or wiped, deleted data on all storage devices can be restored using carving techniques, including multifunctional devices and even mobile phones.
7
EXAMPLE OF A FILE STRUCTURE
8
9
File Header
File Footer
FILE CARVING ASSUMPTIONS
The files searched for are not fragmented.
The beginning of the file is still present.
The signature being searched for is not a common string, which could cause numerous false positives.
The blocks of data searched one at a time are mostly 512 bytes in size.
10
WHAT IF FRAGMENTATION OCCURS??
As files are edited, modified and deleted, most hard drives get fragmented.
Also depends on allocation methodology of file system.
Fragmentation in forensically important files like email, WORD document etc. is high. Why?? Because of constant editing, deletion and addition PST files are most
fragmented. 11
BASIC CARVING SCHEMES
• BiFragment Gap Recovery
• Given by Simson L. Garfinkel, a noted authority in computer forensics field.
• He proposed that a high percentage of files were saved in two separate fragments, i.e., bifragment.
• SmartCarving
• Introduced by A. Pal, N. Memon. T. Sencar and K. Shanmugasundaram.
• It is used to carve out files which is divided into many fragments.
12
BIFRAGMENT GAP RECOVERY
13
BIFRAGMENT GAP RECOVERY(CONTD.)
Simson L. Garfinkel estimated that upto 58% of outlook, 17% of jpegs and 16% of MS-Word files are fragmented and, therefore, appear corrupted or missing to a user using traditional data carving.
A. Pal, N. Memon. T. Sencar and K. Shanmugasundaram
have introduced a technique called SmartCarving that
can recover fragmented files.
14
SMART CARVING
Can work on fragmented and non fragmented data.
Wide variety of file types supported.
Preprocessing Data clusters are decrypted or decompressed.
Collating Classification of cluster to various file types.
Reassembly Reassemble the blocks in sequences that match their file type.
15
SMART CARVING(PREPROCESSING)
Compressed and encrypted drive are decrypted/decompressed in this stage.
Removing known clusters from the disk based on file system meta-data. Helps increase the speed and reduce the amount of data for next
phases.
Allocated files and Operating system specific data can be pruned since it doesn’t have any use in forensics.
16
SMART CARVING(COLLATING)
Classifies the disk clusters as belonging to certain file types.
Reduces the cluster pool in recovery of file of each type.
Keyword/Pattern Matching Looking for sequences to determine the type of cluster.
E.g. <html> tags in a cluster collates to html file.
ASCII characters frequency High frequency of these indicate that data is non Video or Image.
17
SMART CARVING(REASSEMBLY)
Reassembly can be done by Finding the starting fragment of a file that contains the header.
Merging clusters belonging to same fragment.
Finding the fragmentation point i.e. the last cluster in current segment.
Starting point of next fragment.
Ending point of last fragment. Last cluster containing the footer.
18
FILE CARVING TAXONOMY
• Block Based Carving
• Statistical Carving
• Header/Footer Carving
• Header/Maximum File Size Carving
• Header/Embedded Length Carving
• File Structure Based Carving
• Semantic Carving
• Carving with Validation
• Fragment Recovery Carving
• Repackaging Carving
• Hash Carving
• Fuzzy Hash Carving
19
FILE CARVING TOOLS
Foremost - Originally designed by the US Air Force, it is a
carver designed for recovering files based on their headers, footers, and internal data structures.
Scalpel - Scalpel is a rewrite of Foremost focused on
performance and a decrease of memory usage. It uses a database of header and footer definitions and extracts matching files from a set of image files or raw device files.
20
FILE CARVING TOOLS(CONTD.)
Photorec - Photorec is a
data recovery software tool designed to recover lost files from digital camera storage, hard disks, and CD-ROMs using a FTK(Forensic ToolKit) imager. It recovers most common
photo formats, audio files, document formats, such as Microsoft Office, PDF, HTML, and archive/compression formats.
21
FUTURE TOOLS
•Carver 2.0• Open Source, in the early specification stages
• File Harvester• Combination of multiple methods: Block Based Carving, Statistical
Carving, Header/Footer Carving, Header/Embedded Length Carving, File Structure Based Carving, Fragment Recovery Carving, Repackaging Carving (Phase 3), SmartCarving, Fuzzy Hash Carving
22
CONCLUSION
File Carving has revolutionized the computer forensics field by enabling law enforcement to dig out various digital evidence which were earlier inaccessible with the help of earlier means.
New technologies & techniques in File Carving are making it easier to recover data with more accuracy and efficiency.
File Carving is still a developing area of computer forensics and has made further inroads in the recovery of ephemeral data from mobile phones as evidence.
23
24
25