SlideShare una empresa de Scribd logo

File Carving

Descargar como PPT, PDF
A
Aakarsh Raj

An Introduction to File Carving and its techniques used in computer forensics....

Tecnología
1 de 25
FILE CARVING
WHAT IS FILE CARVING?? File Carving is the process of reassembling computer files from fragments in the absence of file system metadata. It is the process of extracting a collection of data from a larger data set. Data carving techniques frequently occur during a digital investigation under ComputerForensics when the unallocated file system space is analysed to extract files. The files are “carved” from the unallocated space using file type-specific header and footer values. 2
COMPUTER FORENSICS ComputerForensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computerforensics is to examine digital media in a forensically sound mannerwith the aimof identifying, preserving, recovering, analysing and presenting facts and opinions about the digital information. 3
HOW THE DATA IS HIDDEN?? Deleting A File  Sends the file to Windows Recycle Bin  Undeleted tools depend on the deleted directory entry • That can be deleted or overwritten too • Then there is no undeleting possible Store Files in a TrueCrypt/VeraCrypt/CipherShed Volume  Undetected as a file(except for My tools)  Looks like random data in unallocated space 4
5
FILE RECOVERY VS. FILE CARVING FILE RECOVERY • File recovery techniques make use of the file system information that remains after deletion of a file. • For this technique to work, the file system information needs to be correct. If not, the files can’t be recovered. FILE CARVING • Carving deals with the raw data on the media. • Carving doesn’t care about which file system is used to store the files. 6
HOW FILE CARVING WORKS?? File carving is a powerful technique for recovering files and fragments of files when directory entries are corrupt or missing. Every file type has its specific header and footer values. In File Carving, raw data is searched block by block for residual data matching the file type-specific header and footer values. As long as data is not overwritten or wiped, deleted data on all storage devices can be restored using carving techniques, including multifunctional devices and even mobile phones. 7
EXAMPLE OF A FILE STRUCTURE 8
9 File Header File Footer
FILE CARVING ASSUMPTIONS The files searched for are not fragmented. The beginning of the file is still present. The signature being searched for is not a common string, which could cause numerous false positives. The blocks of data searched one at a time are mostly 512 bytes in size. 10
WHAT IF FRAGMENTATION OCCURS?? As files are edited, modified and deleted, most hard drives get fragmented. Also depends on allocation methodology of file system. Fragmentation in forensically important files like email, WORD document etc. is high. Why??  Because of constant editing, deletion and addition PST files are most fragmented. 11
BASIC CARVING SCHEMES • BiFragment Gap Recovery • Given by Simson L. Garfinkel, a noted authority in computer forensics field. • He proposed that a high percentage of files were saved in two separate fragments, i.e., bifragment. • SmartCarving • Introduced by A. Pal, N. Memon. T. Sencar and K. Shanmugasundaram. • It is used to carve out files which is divided into many fragments. 12
BIFRAGMENT GAP RECOVERY 13
BIFRAGMENT GAP RECOVERY(CONTD.) Simson L. Garfinkel estimated that upto 58% of outlook, 17% of jpegs and 16% of MS-Word files are fragmented and, therefore, appear corrupted or missing to a user using traditional data carving. A. Pal, N. Memon. T. Sencar and K. Shanmugasundaram have introduced a technique called SmartCarving that can recover fragmented files. 14
SMART CARVING Can work on fragmented and non fragmented data. Wide variety of file types supported. Preprocessing  Data clusters are decrypted or decompressed. Collating  Classification of cluster to various file types. Reassembly  Reassemble the blocks in sequences that match their file type. 15
SMART CARVING(PREPROCESSING) Compressed and encrypted drive are decrypted/decompressed in this stage. Removing known clusters from the disk based on file system meta- data.  Helps increase the speed and reduce the amount of data for next phases. Allocated files and Operating system specific data can be pruned since it doesn’t have any use in forensics. 16
SMART CARVING(COLLATING) Classifies the disk clusters as belonging to certain file types. Reduces the cluster pool in recovery of file of each type. Keyword/Pattern Matching  Looking for sequences to determine the type of cluster.  E.g. <html> tags in a cluster collates to html file. ASCII characters frequency  High frequency of these indicate that data is non Video or Image. 17
SMART CARVING(REASSEMBLY) Reassembly can be done by  Finding the starting fragment of a file that contains the header.  Merging clusters belonging to same fragment.  Finding the fragmentation point i.e. the last cluster in current segment.  Starting point of next fragment.  Ending point of last fragment. Last cluster containing the footer. 18
FILE CARVING TAXONOMY • Block Based Carving • Statistical Carving • Header/Footer Carving • Header/Maximum File Size Carving • Header/Embedded Length Carving • File Structure Based Carving • Semantic Carving • Carving with Validation • Fragment Recovery Carving • Repackaging Carving • Hash Carving • Fuzzy Hash Carving 19
FILE CARVING TOOLS Foremost - Originally designed by the US Air Force, it is a carver designed for recovering files based on their headers, footers, and internal data structures. Scalpel - Scalpel is a rewrite of Foremost focused on performance and a decrease of memory usage. It uses a database of header and footer definitions and extracts matching files from a set of image files or raw device files. 20
FILE CARVING TOOLS(CONTD.) Photorec - Photorec is a data recovery software tool designed to recover lost files from digital camera storage, hard disks, and CD-ROMs using a FTK(Forensic ToolKit) imager.  It recovers most common photo formats, audio files, document formats, such as Microsoft Office, PDF, HTML, and archive/compression formats. 21
FUTURE TOOLS • Carver2.0 • Open Source, in the early specification stages • File Harvester • Combination of multiple methods: Block Based Carving, Statistical Carving, Header/Footer Carving, Header/Embedded Length Carving, File Structure Based Carving, Fragment Recovery Carving, Repackaging Carving (Phase 3), SmartCarving, Fuzzy Hash Carving 22
CONCLUSION File Carving has revolutionized the computer forensics field by enabling law enforcement to dig out various digital evidence which were earlier inaccessible with the help of earlier means. New technologies & techniques in File Carving are making it easier to recover data with more accuracy and efficiency. File Carving is still a developing area of computer forensics and has made further inroads in the recovery of ephemeral data from mobile phones as evidence. 23
24
25

Recomendados

Advances in File Carving
Advances in File CarvingAdvances in File Carving
Advances in File CarvingRob Zirnstein
 
Data recovery
Data recoveryData recovery
Data recoveryAbhinav Parihar
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 

Recomendados

Advances in File Carving
Advances in File CarvingAdvances in File Carving
Advances in File CarvingRob Zirnstein
 
Data recovery
Data recoveryData recovery
Data recoveryAbhinav Parihar
 
Digital forensic tools
Digital forensic toolsDigital forensic tools
Digital forensic toolsParsons Corporation
 
Introduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsIntroduction to filesystems and computer forensics
Introduction to filesystems and computer forensicsMayank Chaudhari
 
Introduction to computer forensic
Introduction to computer forensicIntroduction to computer forensic
Introduction to computer forensicOnline
 
Memory forensics.pptx
Memory forensics.pptxMemory forensics.pptx
Memory forensics.pptx9905234521
 
Mobile Forensics
Mobile ForensicsMobile Forensics
Mobile Forensicsprimeteacher32
 
Computer forensics toolkit
Computer forensics toolkitComputer forensics toolkit
Computer forensics toolkitMilap Oza
 
DATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESDATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESVenkatesh Pensalwar
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsNicholas Davis
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 
Tracking Emails
Tracking EmailsTracking Emails
Tracking Emailsprashant3535
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imagingDINESH KAMBLE
 
Windowsforensics
WindowsforensicsWindowsforensics
WindowsforensicsSantosh Khadsare
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Data recovery
Data recoveryData recovery
Data recoverygupta8741
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsSCREAM138
 
Shadow forensics print
Shadow forensics printShadow forensics print
Shadow forensics printn|u - The Open Security Community
 
Data recovery
Data recoveryData recovery
Data recoveryMir Majid
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Ahmed Hashad
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital ForensicsMithileysh Sathiyanarayanan
 
Folder Watching For Automated Document Capture, Batch Scanning
Folder Watching For Automated Document Capture, Batch ScanningFolder Watching For Automated Document Capture, Batch Scanning
Folder Watching For Automated Document Capture, Batch ScanningDocuFi, offering HAI and Infection Prevention Analytics
 
Batch Document Processing with ImageRamp Batch
Batch Document Processing with ImageRamp BatchBatch Document Processing with ImageRamp Batch
Batch Document Processing with ImageRamp BatchDocuFi, offering HAI and Infection Prevention Analytics
 

Más contenido relacionado

La actualidad más candente

Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic pptPriya Manik
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidencerakesh mishra
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigationedwardbel
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its roleSudeshna Basak
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows SystemConferencias FIST
 
Digital forensics
Digital forensics Digital forensics
Digital forensics vishnuv43
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptxAmbuj Kumar
 
Memory forensics
Memory forensicsMemory forensics
Memory forensicsSunil Kumar
 
Data recovery
Data recoveryData recovery
Data recoverygupta8741
 
Computer forensics
Computer forensicsComputer forensics
Computer forensicsSCREAM138
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Ahmed Hashad
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenesprimeteacher32
 

La actualidad más candente (20)

DATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUESDATA RECOVERY TECHNIQUES
DATA RECOVERY TECHNIQUES
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 
Computer forensic ppt
Computer forensic pptComputer forensic ppt
Computer forensic ppt
 
Analysis of digital evidence
Analysis of digital evidenceAnalysis of digital evidence
Analysis of digital evidence
 
E-mail Investigation
E-mail InvestigationE-mail Investigation
E-mail Investigation
 
Computer forensics and its role
Computer forensics and its roleComputer forensics and its role
Computer forensics and its role
 
Tracking Emails
Tracking EmailsTracking Emails
Tracking Emails
 
Forensics of a Windows System
Forensics of a Windows SystemForensics of a Windows System
Forensics of a Windows System
 
Forensic imaging
Forensic imagingForensic imaging
Forensic imaging
 
Windowsforensics
WindowsforensicsWindowsforensics
Windowsforensics
 
Digital forensics
Digital forensics Digital forensics
Digital forensics
 
mobile forensic.pptx
mobile forensic.pptxmobile forensic.pptx
mobile forensic.pptx
 
Memory forensics
Memory forensicsMemory forensics
Memory forensics
 
Data recovery
Data recoveryData recovery
Data recovery
 
Computer forensics
Computer forensicsComputer forensics
Computer forensics
 
Shadow forensics print
Shadow forensics printShadow forensics print
Shadow forensics print
 
Data recovery
Data recoveryData recovery
Data recovery
 
Data recovery with a view of digital forensics
Data recovery with a view of digital forensics Data recovery with a view of digital forensics
Data recovery with a view of digital forensics
 
Processing Crimes and Incident Scenes
Processing Crimes and Incident ScenesProcessing Crimes and Incident Scenes
Processing Crimes and Incident Scenes
 
Digital Forensics
Digital ForensicsDigital Forensics
Digital Forensics
 

Similar a File Carving

6 chapter 6 record storage and primary file organization
6 chapter 6 record storage and primary file organization6 chapter 6 record storage and primary file organization
6 chapter 6 record storage and primary file organizationsiragezeynu
 
A SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVINGA SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVINGIJCSES Journal
 
Lecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file systemLecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file systemAlchemist095
 
Distributed file system
Distributed file systemDistributed file system
Distributed file systemAnamika Singh
 
General Information About Information Technologies
General Information About Information TechnologiesGeneral Information About Information Technologies
General Information About Information Technologiestechgajanan
 
Building modern data lakes
Building modern data lakes Building modern data lakes
Building modern data lakes Minio
 
Degonto file management
Degonto file managementDegonto file management
Degonto file managementDegonto Islam
 
Sequential file programming patterns and performance with .net
Sequential file programming patterns and performance with .netSequential file programming patterns and performance with .net
Sequential file programming patterns and performance with .netMichael Pavlovsky
 
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...ijsrd.com
 
what are the five major activities of an operating system in regard .pdf
what are the five major activities of an operating system in regard .pdfwhat are the five major activities of an operating system in regard .pdf
what are the five major activities of an operating system in regard .pdfamritashinfosalys
 
Bba203 unit 2data processing concepts
Bba203 unit 2data processing conceptsBba203 unit 2data processing concepts
Bba203 unit 2data processing conceptskinjal patel
 
What is Object storage ?
What is Object storage ?What is Object storage ?
What is Object storage ?Nabil Kassi
 

Similar a File Carving (20)

Folder Watching For Automated Document Capture, Batch Scanning
Folder Watching For Automated Document Capture, Batch ScanningFolder Watching For Automated Document Capture, Batch Scanning
Folder Watching For Automated Document Capture, Batch Scanning
 
Batch Document Processing with ImageRamp Batch
Batch Document Processing with ImageRamp BatchBatch Document Processing with ImageRamp Batch
Batch Document Processing with ImageRamp Batch
 
Computer Forensic
Computer ForensicComputer Forensic
Computer Forensic
 
6 chapter 6 record storage and primary file organization
6 chapter 6 record storage and primary file organization6 chapter 6 record storage and primary file organization
6 chapter 6 record storage and primary file organization
 
Linux passwords class 4
Linux passwords class 4Linux passwords class 4
Linux passwords class 4
 
A SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVINGA SURVEY ON MULTIMEDIA FILE CARVING
A SURVEY ON MULTIMEDIA FILE CARVING
 
Lecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file systemLecture 8 comp forensics 03 10-18 file system
Lecture 8 comp forensics 03 10-18 file system
 
Fs Ch 18
Fs Ch 18Fs Ch 18
Fs Ch 18
 
C) ICT Application
C) ICT ApplicationC) ICT Application
C) ICT Application
 
3170725_Unit-4.pptx
3170725_Unit-4.pptx3170725_Unit-4.pptx
3170725_Unit-4.pptx
 
File organisation
File organisationFile organisation
File organisation
 
Distributed file system
Distributed file systemDistributed file system
Distributed file system
 
General Information About Information Technologies
General Information About Information TechnologiesGeneral Information About Information Technologies
General Information About Information Technologies
 
Building modern data lakes
Building modern data lakes Building modern data lakes
Building modern data lakes
 
Degonto file management
Degonto file managementDegonto file management
Degonto file management
 
Sequential file programming patterns and performance with .net
Sequential file programming patterns and performance with .netSequential file programming patterns and performance with .net
Sequential file programming patterns and performance with .net
 
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
An Analyzing of different Techniques and Tools to Recover Data from Volatile ...
 
what are the five major activities of an operating system in regard .pdf
what are the five major activities of an operating system in regard .pdfwhat are the five major activities of an operating system in regard .pdf
what are the five major activities of an operating system in regard .pdf
 
Bba203 unit 2data processing concepts
Bba203 unit 2data processing conceptsBba203 unit 2data processing concepts
Bba203 unit 2data processing concepts
 
What is Object storage ?
What is Object storage ?What is Object storage ?
What is Object storage ?
 

Último

SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 

Último (20)

DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 

File Carving

  • 2. WHAT IS FILE CARVING?? File Carving is the process of reassembling computer files from fragments in the absence of file system metadata. It is the process of extracting a collection of data from a larger data set. Data carving techniques frequently occur during a digital investigation under ComputerForensics when the unallocated file system space is analysed to extract files. The files are “carved” from the unallocated space using file type-specific header and footer values. 2
  • 3. COMPUTER FORENSICS ComputerForensics is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computerforensics is to examine digital media in a forensically sound mannerwith the aimof identifying, preserving, recovering, analysing and presenting facts and opinions about the digital information. 3
  • 4. HOW THE DATA IS HIDDEN?? Deleting A File  Sends the file to Windows Recycle Bin  Undeleted tools depend on the deleted directory entry • That can be deleted or overwritten too • Then there is no undeleting possible Store Files in a TrueCrypt/VeraCrypt/CipherShed Volume  Undetected as a file(except for My tools)  Looks like random data in unallocated space 4
  • 5. 5
  • 6. FILE RECOVERY VS. FILE CARVING FILE RECOVERY • File recovery techniques make use of the file system information that remains after deletion of a file. • For this technique to work, the file system information needs to be correct. If not, the files can’t be recovered. FILE CARVING • Carving deals with the raw data on the media. • Carving doesn’t care about which file system is used to store the files. 6
  • 7. HOW FILE CARVING WORKS?? File carving is a powerful technique for recovering files and fragments of files when directory entries are corrupt or missing. Every file type has its specific header and footer values. In File Carving, raw data is searched block by block for residual data matching the file type-specific header and footer values. As long as data is not overwritten or wiped, deleted data on all storage devices can be restored using carving techniques, including multifunctional devices and even mobile phones. 7
  • 8. EXAMPLE OF A FILE STRUCTURE 8
  • 10. FILE CARVING ASSUMPTIONS The files searched for are not fragmented. The beginning of the file is still present. The signature being searched for is not a common string, which could cause numerous false positives. The blocks of data searched one at a time are mostly 512 bytes in size. 10
  • 11. WHAT IF FRAGMENTATION OCCURS?? As files are edited, modified and deleted, most hard drives get fragmented. Also depends on allocation methodology of file system. Fragmentation in forensically important files like email, WORD document etc. is high. Why??  Because of constant editing, deletion and addition PST files are most fragmented. 11
  • 12. BASIC CARVING SCHEMES • BiFragment Gap Recovery • Given by Simson L. Garfinkel, a noted authority in computer forensics field. • He proposed that a high percentage of files were saved in two separate fragments, i.e., bifragment. • SmartCarving • Introduced by A. Pal, N. Memon. T. Sencar and K. Shanmugasundaram. • It is used to carve out files which is divided into many fragments. 12
  • 14. BIFRAGMENT GAP RECOVERY(CONTD.) Simson L. Garfinkel estimated that upto 58% of outlook, 17% of jpegs and 16% of MS-Word files are fragmented and, therefore, appear corrupted or missing to a user using traditional data carving. A. Pal, N. Memon. T. Sencar and K. Shanmugasundaram have introduced a technique called SmartCarving that can recover fragmented files. 14
  • 15. SMART CARVING Can work on fragmented and non fragmented data. Wide variety of file types supported. Preprocessing  Data clusters are decrypted or decompressed. Collating  Classification of cluster to various file types. Reassembly  Reassemble the blocks in sequences that match their file type. 15
  • 16. SMART CARVING(PREPROCESSING) Compressed and encrypted drive are decrypted/decompressed in this stage. Removing known clusters from the disk based on file system meta- data.  Helps increase the speed and reduce the amount of data for next phases. Allocated files and Operating system specific data can be pruned since it doesn’t have any use in forensics. 16
  • 17. SMART CARVING(COLLATING) Classifies the disk clusters as belonging to certain file types. Reduces the cluster pool in recovery of file of each type. Keyword/Pattern Matching  Looking for sequences to determine the type of cluster.  E.g. <html> tags in a cluster collates to html file. ASCII characters frequency  High frequency of these indicate that data is non Video or Image. 17
  • 18. SMART CARVING(REASSEMBLY) Reassembly can be done by  Finding the starting fragment of a file that contains the header.  Merging clusters belonging to same fragment.  Finding the fragmentation point i.e. the last cluster in current segment.  Starting point of next fragment.  Ending point of last fragment. Last cluster containing the footer. 18
  • 19. FILE CARVING TAXONOMY • Block Based Carving • Statistical Carving • Header/Footer Carving • Header/Maximum File Size Carving • Header/Embedded Length Carving • File Structure Based Carving • Semantic Carving • Carving with Validation • Fragment Recovery Carving • Repackaging Carving • Hash Carving • Fuzzy Hash Carving 19
  • 20. FILE CARVING TOOLS Foremost - Originally designed by the US Air Force, it is a carver designed for recovering files based on their headers, footers, and internal data structures. Scalpel - Scalpel is a rewrite of Foremost focused on performance and a decrease of memory usage. It uses a database of header and footer definitions and extracts matching files from a set of image files or raw device files. 20
  • 21. FILE CARVING TOOLS(CONTD.) Photorec - Photorec is a data recovery software tool designed to recover lost files from digital camera storage, hard disks, and CD-ROMs using a FTK(Forensic ToolKit) imager.  It recovers most common photo formats, audio files, document formats, such as Microsoft Office, PDF, HTML, and archive/compression formats. 21
  • 22. FUTURE TOOLS • Carver2.0 • Open Source, in the early specification stages • File Harvester • Combination of multiple methods: Block Based Carving, Statistical Carving, Header/Footer Carving, Header/Embedded Length Carving, File Structure Based Carving, Fragment Recovery Carving, Repackaging Carving (Phase 3), SmartCarving, Fuzzy Hash Carving 22
  • 23. CONCLUSION File Carving has revolutionized the computer forensics field by enabling law enforcement to dig out various digital evidence which were earlier inaccessible with the help of earlier means. New technologies & techniques in File Carving are making it easier to recover data with more accuracy and efficiency. File Carving is still a developing area of computer forensics and has made further inroads in the recovery of ephemeral data from mobile phones as evidence. 23
  • 24. 24
  • 25. 25