Data Carving is a technique used in the field of Cyber Forensics when data cannot be identified or extracted from media by any simple procedure due to the fact that the desired data no longer has file system allocation information available to identify the sectors or clusters that belong to the file or data. In Cyber Forensics, it is a helpful technique in finding hidden or deleted files form digital media. A file can be hidden in areas like lost clusters, unallocated clusters, slack space of the disk or digital media. To use this method of extraction, a file should have standard file signature called file header (start of the file). A search is performed to locate the file header and continued till file footer (end of the file) is reached. The data between these two points will be extracted and analyzed to validate the file. The extraction algorithm uses different methods of carving depending on the file formats. To optimize the search process to locate the header signature in a digital media, it is sufficient to search first few bytes of every cluster or sector. In case of embedded files (like thumb nails in thumbs.db, jpeg in .doc), a search has to be performed byte by byte.
Files like picture (jpeg, gif, bmp, png), html, zip, compound documents (doc, ppt, excel, thumbs.db), pdf, video (avi, dat, mp4, mov, wmv, 3gp) can be carved using this tool. This tool is developed keeping two challenges in mind. First, carving files from hidden areas of the digital media when file system exists. Second, carving files from any raw image that does or does not have file system. To carve files from only hidden areas, it comes as a module of the CyberCheck V4.0 (a disk analysis tool). This module provides in-place (or zero storage) carving facility from lost clusters, unallocated clusters and disk slack. To carve files from any raw image, it comes as a stand-alone tool that requires external storage to carve files of interest.
|
|
|
Click to Download !
|
|
3816 KB
|
| |
F-DAC 1.0