Scribd Logo
Upload

Welcome to Scribd!

  • Data Carving Presentation by Aditya Upadhyay - 20231009 - 122725 - 0000

    Uploaded by

    ac8945161
    3 views11 pages
    Data carving, also known as file carving, is a technique used in digital forensics to recover deleted files from unallocated space by examining file headers and footers. Two popular file carving tools are Foremost and Scalpel. Foremost recovers files of all supported types but can be slow, while Scalpel is faster but requires the user to specify the file types to carve in a configuration file. Both tools organize recovered files by type but do not preserve original filenames.

    Original Description:

    Original Title

    Data Carving Presentation by Aditya Upadhyay_20231009_122725_0000

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Data carving, also known as file carving, is a technique used in digital forensics to recover deleted files from unallocated space by examining file headers and footers. Two popular file carving tools are Foremost and Scalpel. Foremost recovers files of all supported types but can be slow, while Scalpel is faster but requires the user to specify the file types to carve in a configuration file. Both tools organize recovered files by type but do not preserve original filenames.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    3 views11 pages

    Data Carving Presentation by Aditya Upadhyay - 20231009 - 122725 - 0000

    Uploaded by

    ac8945161
    Data carving, also known as file carving, is a technique used in digital forensics to recover deleted files from unallocated space by examining file headers and footers. Two popular file carving tools are Foremost and Scalpel. Foremost recovers files of all supported types but can be slow, while Scalpel is faster but requires the user to specify the file types to carve in a configuration file. Both tools organize recovered files by type but do not preserve original filenames.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 11

    DATA CARVING

    CREATED BY - ADITYA UPADHYAY


    INTRODUCTION TO DATA CARVING

    Data Carving or sometimes referred to as File Carving is an


    important technique performed during digital forensic
    investigations to acquire and recover data from acquired
    memory files. File carving retrieves data and files from
    unallocated space using specific characteristics, such as the file
    structure and file headers.

    Source : https://hacklido.com/blog/383-introduction-to-forensic-data-carving
    MORE ABOUT DATA CARVING

    Unallocated space refers to that part of memory that does not


    belongs to any memory partition and has been marked as
    empty by the operating system. Although this part of the
    memory is unallocated for use, attributes of files such as header
    and footer are saved here that can be used to retrieve fragments
    or even complete parts of the deleted files.
    Data carving utilizes this space the attributes to recover deleted
    files by carving the information saved in header and footers.
    Source : https://hacklido.com/blog/383-introduction-to-forensic-data-carving
    THIS IS ALL THE THEORY THAT IS ESSENTIAL FOR OUR UNDERSTANDING.
    NOW WE WILL MOVE TO THE PRACTICAL PART OF OUR GUIDE WHERE
    WE USE AWESOME TOOLS TO CARVE DATA.
    DOWNLOAD: BASIC DATA CARVING TEST #1 BY NICK MIKUS

    THE DATASET IS A MEMORY IMAGE OF A FAT32 FILE SYSTEM THAT INCLUDES MULTIPLE DELETED FILES OF DIFFERENT FILE FORMATS
    AND EXTENSIONS. THE DESCRIPTION OF EACH FILE, INCLUDING ITS HASH IS GIVEN AT THE BOTTOM OF THE DOWNLOAD PAGE.
    AFTER DOWNLOADING THE ZIP OF THE DATA SET, EXTRACT IT TO A FRESH DIRECTORY AND PROCEED FURTHER.

    Source : https://hacklido.com/blog/383-introduction-to-forensic-data-carving
    FILE RECOVERY WITH FOREMOST
    Foremost is a widely popular command line tool in the world of digital forensics that
    recovers files from unallocated space using file headers and footers. The tool is
    powerful yet easy to use due to its simple syntax.
    A simple command to carve everything The output directory that we specified during
    from the image file looks like this: carving contains all the files that are successfully
    carved by foremost, organized into different sub-
    directories by file type. Furthermore, an audit.txt
    file is generated that contains all the details and
    findings listed in a neat format.

    FOREMOST -I <INPUT_FILE> -O <OUTPUT_DIRECTORY>

    Source : https://hacklido.com/blog/383-introduction-to-forensic-data-carving
    HERE’S A SAMPLE OF JPG FILES THAT ARE
    SUCCESSFULLY RECOVERED BY FOREMOST:

    A BETTER WAY TO USE THE TOOL IS TO SPECIFY SELECTED FILE EXTENSIONS TO CARVE TO REDUCE THE TIME TAKEN TO RECOVER
    FILES. WHILE IT IS A WISE CHOICE TO SPECIFY FILE TYPE DURING CARVING, THE EXTENSION MUST BE KNOWN TO USE THIS METHOD.
    THE SYNTAX TO CARVE SELECTED FILE TYPES LOOKS LIKE THIS:
    FOREMOST -I <INPUT_FILE> -T <EXTENSIONS> -O <OUTPUT_DIRECTORY>

    Source : https://hacklido.com/blog/383-introduction-to-forensic-data-carving
    WE WILL TALK ABOUT ONE MORE TOOL
    FILE RECOVERY WITH SCALPEL
    FILE RECOVERY WITH SCALPEL

    While foremost is a great tool to retrieve and recover files from


    unallocated space, it consumes high ram and CPU while under
    operation. Resultantly, Scalpel was developed as an improvement
    of older versions of foremost. While it offers speed, it comes with
    some specifications that must be kept in mind while carving data.
    Unlike foremost, Scalpel does not carve all supported file formats
    on its own. The required file types must be specified in the Scalpel
    configuration file by the user before using it.

    Source : https://hacklido.com/blog/383-introduction-to-forensic-data-carving
    This file is called scalpel.conf and is located at etc/scalpel/

    TO SPECIFY FILE TYPES, EDIT THE CONFIGURATION FILE AND


    REMOVE COMMENTS AT THE START OF THE LINE CONTAINING
    THE FILE TYPE. ALL FILE FORMATS ARE COMMENTED ON BY
    DEFAULT AND MUST BE EDITED AS PER THE USER’S PREFERENCE.
    PLEASE ALWAYS HAVE A BACKUP OF THE CONFIGURATION FILE
    BEFORE MAKING ANY CHANGES TO THE ORIGINAL FILE.

    Source : https://hacklido.com/blog/383-introduction-to-forensic-data-carving
    AFTER SPECIFYING THE FILE FORMATS TO CARVE, USE SCALPEL WITH THE FOLLOWING SYNTAX:

    SCALPEL <INPUT_FILE> -O <OUTPUT_DIRECTORY>

    SIMILAR TO FOREMOST, ALL RECOVERED FILES ARE ORGANIZED INTO DIFFERENT SUB-
    DIRECTORIES BASED ON THE FILE FORMAT.

    PLEASE NOTE THAT NEITHER FOREMOST, NOR SCALPEL RETURNS FILES WITH THEIR ORIGINAL NAMES, AND THE RESULT OFTEN
    CONTAINS DUPLICATES. THUS, REMEMBER TO USE BOTH TOOLS TO VERIFY YOUR RESULTS, AND DO NOT RELY ON A SINGLE TOOL.

    Source : https://hacklido.com/blog/383-introduction-to-forensic-data-carving
    THANK YOU

    You might also like