My Road to Digital Forensics Excellence

File Carving Experiments, Part 1

Posted by Paul Bobby on November 4, 2008

A hard drive landed in my lap that had been formatted thusly: 80gig drive, originally two partitions, 36gigs each. The first partition was reformatted FAT32, and the second NTFS. Oh boy, another file carving nightmare. After a couple of false starts with various file carving tools, I began to wonder if there wasn’t a better way.

I posted to the Guidance Software forums some theorycraft as to whether or not it makes sense to only search for deleted files that begin at Cluster boundaries. The NTFS file system (and as far as I know, all others) write new data to the media by starting at the beginning of a cluster, and writing data from there. Furthermore, the art of file carving is most commonly based around searching for the file signature, that is the first few bytes of a file. So why spend time searching anything but the first few bytes of the first sector of cluster for deleted files?

In the spirit of experimentation, and for finding things out for myself, I wrote an enscript, tested some tools, and learnt quite a bit about file carving along the way. Here’s the set up I used.

  1. Wiped a 1GB thumb drive using Eraser, and a wipe pattern of 0xFF. I did this with the intent of getting no false positive hits on the file carving tests other than against the files I had deliberately put on the thumb drive. This also had the nice side effect of making the hex/text view of the thumb drive very readable when data is separated by big chunks of 0xFF.
  2. I then formatted the thumb drive to FAT32
  3. The following files were copied to the thumb drive
  4. image
  5. I took an image of the thumb drive, write blocked of course
  6. Formatted the thumb drive to FAT32
  7. Took a second of the thumb drive.

These two Encase images became the test environment for my file carving experiments.

More to follow


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: