File Carving In Digital Forensics | Best Tools For It

In this article, we are going to learn about File Carving in Digital Forensics. Here you also going to learn about some of the file carvings tools.

What is File Carving?

File Carving is a process to recover or reconstruct the deleted or formatted files in the computer. It is the process of searching a file in a data stream and carve out deleted files.

This process is very important in Digital Forensics, as the forensics expert has to investigate all the system files and they also have to check for any deleted or formatted files for further investigation. To recover these deleted files the forensics expert uses certain software and programs to carve out these files.

File carving is one of the best methods for recovering the files if the entire directory is corrupt or missing. It’s especially used in cybercrimes to collect and restore evidence at the crime.

How File Carving Works?

There are many types of files in the systems, therefore to recover different types of files different methods of file carving are used. Let’s discuss some of them here-

Header-footer or header-maximum file size carving

In this method, we recover files based on their header and footer or file size.

Many file types have a well-known value or magic number in the first and last bytes and we can carve out those files based on these first and last bytes. Unfortunately, not all the file types have well-known bytes so we have to use the maximum file size option for carving the file out.

For example – If we are searching for a JPEG file and want to recover the file, we already know that there are some specific headers and footers that are used in JPEG files

JPEG – ”xFFxD8″ header and “xFFxD9” footer.

If we define this header and footer to some specific tools (scalpel), we can carve out the JPEG file if it is deleted from the disk.

File Structure Based Carving

This technique uses the internal layout of a file. The elements we use to check are header, footer, identifier strings and size information, etc.

Content Based Carving

In content-based carving, we check the content structure and the content characteristics.

Basically, the Content Structure we look for is, whether the loose structure is MBOX, HTML, XML, etc.

The Content Characteristics we look for are

  1. Character count
  2. Text/Language recognition
  3. White and Black listing of data (filter)
  4. Statistical attributes
  5. Information entropy

These are the basic types of carving. There is a semantics-based Carving, but these are the basic carving we have to know for the time being.

So these are the basics of file carving, now let’s jump on the best tools to use for file carving.

File Carving Tools

In this section, we are going to discuss some file carving tools, How to download and install them, and some basic usage of them.

Scalpel

scalpel | File Carving tool | Cybervie

So the first tool in the list is “scalpel”. It is a very well-known tool for file carving and a reprogrammed version of the “foremost”. Scalpel is available for both Windows and Linux.

In Kali Linux, scalpel comes pre-installed and can be directly used from the terminal by typing scalpel.

Official Link – https://github.com/machn1k/Scalpel-2.0

Below is the official Compile Instruction of the scalpel.

COMPILE INSTRUCTIONS ON SUPPORTED PLATFORMS:

Linux/Mac OS X:    ./configure and then make

Windows:           cd to src directory and then:

	           mingw32-make -f Makefile.win

and enjoy.  If you want to install the binary and man page in a more
permanent place, just copy "scalpel" (or "scalpel.exe") and
"scalpel.1" to appropriate locations, e.g., on Linux, "/usr/local/bin"
and "/usr/local/man/man1", respectively.  On Windows, you'll also need
to copy the pthreads and tre regular expression library dlls into the
same directory as "scalpel.exe".

For using scalpel in Linux we have to change the configuration file of the scalpel which is located at  /etc/scalpel/scalpel.conf and remove the hashes from the line where our desired file type is written.

For eg: If I want to find a JPG file I will remove has or Uncomment the line where JPG is written

scalpen.conf | cybervie

Then you can check all the options by typing scalpel -h or just scalpel.

scalpel help menu | file carving in digital forensics| Cybervie

Example command: scalpel -b -o /root/Desktop/directory DiskImage.img

Bulk_extractor

Bulk_extractor banner  | Cybervie

bulk_extractor scans a disk image (or any other file) for a large number of pre-defined regular expressions and other kinds of content. When it finds a feature, bulk_extractor writes the output to an output file. Each line of the output file contains a byte offset at which the feature was found, a tab, and the actual feature. Features therefore cannot contain the end-of-line character.

Also, It includes native support for EnCase (.E01) and AFFLIB (.aff) files if it is compiled and linked on a system containing those libraries. Alternatively, the -R option can be used to recursively scan and process a directory of individual files (basically, disk images in such a directory will be treated as files, not as disk images).

bulk_extractor is multi-threaded. By specifying the -j option, multiple copies of the program can be run. Each thread writes its results into its own feature file.

bulk_extractor will also create a wordlist of all the words that are found in the disk image. This can be used as a dictionary for cracking encryption.

Official Link – https://github.com/simsong/bulk_extractor

Bulk_Extractor is pre-installed in Kali Linux.

To build bulk_extractor in Linux or Mac OS:

  1. Make sure required packages have been installed. You can do this by going into the etc/ directory and looking for a script that installs the necessary packages for your platform.
  2. Then run these commands:
./configure
make
make install

we can also see all the options and help menu by writing the command “bulk_extractor” or “bulk_extractor -h” in the terminal.

bulk_extractor | file carving tool | Cybervie

Foremost

Foremost data carving tool | Cybervie

Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.

Foremost can recover almost every file, like:

  1. jpg
  2. gif
  3. png
  4. exe
  5. rar
  6. zip
  7. htm
  8. mp4

How to install?

In Kali Linux/Any Debian based Linux, we have to type command,

sudo apt install foremost

Basically, For any other operating system, we have to download the tar.gz file from the official website and install it according to the operating system.

Official Link – http://foremost.sourceforge.net/

Github – https://github.com/jonstewart/foremost

We can see all the options and flags by typing foremost or foremost -h or man foremost(For Linux) in the terminal.

foremost file carving tool | Cybervie

There are lots of tools for file carving like:

  1. FTK
  2. Encase
  3. PhotoRec
  4. Revit
  5. TestDisk
  6. Magic Rescue
  7. F-Engrave

Conclusion

I hope you find the above information useful. There are lots of for file carving. But the tools that are mentioned above are trusted by the community and are one of the best tools for File carving. Don’t just download any tool from google and install it because it can be malicious. Always read reviews and check before you proceed.

Resources

Our Blog Page – https://cybervie/blog/

Garry Kesler’s File signatures for IDentifying the type of File from it’s header and Magic number – https://www.garykessler.net/library/file_sigs.html

About Cybervie

Cybervie provides best cyber security training program in hyderabad, India.This cyber security course enables you to detect vulnerablities of a system, wardoff attacks and manage emergency situations. Taking a proactive approach to security that can help organisations to protect their data, Cybervie has designed its training module based on the cyber security industry requirements with three levels of training in both offensive and defensive manner, and use real time scenarios which can help our students to understand the market up-to its standard certification which is an add on advantage for our students to stand out of competition in an cyber security interview.

More Info – Click Here

Share on facebook
Share on twitter
Share on linkedin
Share on whatsapp

Recent Posts

Follow Us on Youtube

Cyber Security Training Program 2020

Cyber security Course offered by Cybervie prepares students for a path of success in a highly demanding and rapidly growing field of cyber security. The course is completely designed with an adaptable mindset, where the program allows the student to complete the course work at their own pace while being able to complete weekly assignments. Hence, also making it convenient for busy working professionals to pursue the training to help them advance their career in cyber security.

Cybervie has designed the training module based on the cyber security industry requirements in both offensive and defensive manner, using real time scenarios which help our students to understand the market standards.

Sign up for our Newsletter

Interested in Cyber Security Training Program 2020 – Click Here