Information Technology Reference
In-Depth Information
metadata. In file carving, specified file types are searched for and extracted across the bin-
ary data to create a forensic image of a partition or an entire disk. File carving recovers
files from the unallocated space in a drive based merely on file structure and content
without any matching file system metadata. Unallocated space refers to the part of the
drive that no longer holds any file information as pointed by the file system structures
such as the file table.
Files can be recovered or reconstructed by scanning the raw bytes of the disk and reas-
sembling them. This can be done by examining the header (the first few bytes) and footer
(the last few bytes) of a file.
File-carving methods are categorized based on the underlying technique in use. The
header-footer carving method relies on recovering the files based on the header and footer
information. For instance, the JPEG files start with
0xffd8
and end with
0xffd9
. The
locations of the header and footer are identified and everything between those two end-
points is carved. Similarly, the carving method based on the file structure uses the internal
layout of a file to reconstruct the file. But the traditional file-carving techniques such as
the ones we've already explained may not work if the data is fragmented. To overcome
this, new techniques such as smart carving use the fragmentation characteristics of several
popular file systems to recover the data.
Once the phone is imaged, it can be analyzed using tools such as
Scalpel
. Scalpel is a
powerful open source utility to carve files. This tool analyzes the block database storage
and identifies the deleted files and recovers them. Scalpel is file system independent and
is known to work on various file systems including FAT, NTFS, EXT2, EXT3, HFS, and
more. The following steps explain how to use Scalpel on an Ubuntu workstation:
1. Install Scalpel on the Ubuntu workstation using the command
sudo apt-get
install scalpel
.
2. The
scalpel.conf
file present under the
/etc/scalpel
directory contains
information about the supported file types, as shown in the following screenshot: