SecureArtisan

My Road to Digital Forensics Excellence

File Carving Experiments, Part 2

Posted by Paul Bobby on November 4, 2008

The best candidate for carving are those file formats that come with identifiable File Headers as well as an identifiable File Footer. The following are the ones I’m typically interested in: (Source Scalpel and File Finder Enscript)

File type File Header File Footer
JPG \xff\xd8\xff\xe0\x00\x10 \xff\xd9
GIF GIF8[79]a \x00\x3b
MPEG \x00\x00\x01[\xba\xb3] \x00\x00\x01[\xb9\xb7]
ZIP PK\x03\x04 PK\x05\x06

The File Finder enscript has readable/extendable source code so that new file signatures can be easily added to it.

image

When executing the File Finder, it permits the enduser the ability to add new file signatures to be searched for, however it is only through modifying the source code that the File Footer can be added. For example, I have highlighted both the header and footer for the GIF file format above.

The File Finder enscript performs very well against JPG, ZIP and GIF file recoveries.

ZIP

File Finder found 6 hits. If you recall from Part 1, there are three ZIP files on the thumb drive; three of the six hits correspond directly to these three files and all three were exported in their entirety.

The other three ZIP files are compressed XML components within the file, PurchaseRequest.xls. My Cluster Boundary approach would not have found these files, so that is a big plus for File Finder.

JPG

File Finder found 7 hits. Only two JPG files were explicitly written to the thumb drive, what are the remaining 5 hits? Four of the JPG hits were of images within the PDF files that are on the thumb drive – a cluster boundary approach would not have found these. The last JPG is this file:

image

Looks like a thumbnail (and might be familiar to those who have recently completed the EnCE Practical!)

The search hit was found at File Offset 1214076 in UA (which starts at sector 3991), so the actual sector is 6362. Take a look at the file listing in Part 1 and you’ll see that the closest candidate file is "junk.rtf". And lo and behold, this RTF file is a report from my EnCE practical, and the RTF contains the above JPG thumbnail.

Again cluster boundary searching would not have found this, although please remember that I do not claim that searching at the beginning of clusters is the only way to recover files.

More to follow….

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: