In this article, we are going to learn about File Carving in Digital Forensics. Here you also going to learn about some of the file carvings tools.
What is File Carving?
File Carving is a process to recover or reconstruct the deleted or formatted files in the computer. It is the process of searching a file in a data stream and carve out deleted files.
This process is very important in Digital Forensics, as the forensics expert has to investigate all the system files and they also have to check for any deleted or formatted files for further investigation. To recover these deleted files the forensics expert uses certain software and programs to carve out these files.
File carving is one of the best methods for recovering the files if the entire directory is corrupt or missing. It’s especially used in cybercrimes to collect and restore evidence at the crime.
How File Carving Works?
There are many types of files in the systems, therefore to recover different types of files different methods of file carving are used. Let’s discuss some of them here-
Header-footer or header-maximum file size carving
In this method, we recover files based on their header and footer or file size.
Many file types have a well-known value or magic number in the first and last bytes and we can carve out those files based on these first and last bytes. Unfortunately, not all the file types have well-known bytes so we have to use the maximum file size option for carving the file out.
For example – If we are searching for a JPEG file and want to recover the file, we already know that there are some specific headers and footers that are used in JPEG files
JPEG – ”xFFxD8″ header and “xFFxD9” footer.
If we define this header and footer to some specific tools (scalpel), we can carve out the JPEG file if it is deleted from the disk.
File Structure Based Carving
This technique uses the internal layout of a file. The elements we use to check are header, footer, identifier strings and size information, etc.
Content Based Carving
In content-based carving, we check the content structure and the content characteristics.
Basically, the Content Structure we look for is, whether the loose structure is MBOX, HTML, XML, etc.
The Content Characteristics we look for are –
- Character count
- Text/Language recognition
- White and Black listing of data (filter)
- Statistical attributes
- Information entropy
These are the basic types of carving. There is a semantics-based Carving, but these are the basic carving we have to know for the time being.
So these are the basics of file carving, now let’s jump on the best tools to use for file carving.
File Carving Tools
In this section, we are going to discuss some file carving tools, How to download and install them, and some basic usage of them.
Scalpel
So the first tool in the list is “scalpel”. It is a very well-known tool for file carving and a reprogrammed version of the “foremost”. Scalpel is available for both Windows and Linux.
In Kali Linux, scalpel comes pre-installed and can be directly used from the terminal by typing scalpel.
Official Link – https://github.com/machn1k/Scalpel-2.0
Below is the official Compile Instruction of the scalpel.
COMPILE INSTRUCTIONS ON SUPPORTED PLATFORMS: Linux/Mac OS X: ./configure and then make Windows: cd to src directory and then: mingw32-make -f Makefile.win and enjoy. If you want to install the binary and man page in a more permanent place, just copy "scalpel" (or "scalpel.exe") and "scalpel.1" to appropriate locations, e.g., on Linux, "/usr/local/bin" and "/usr/local/man/man1", respectively. On Windows, you'll also need to copy the pthreads and tre regular expression library dlls into the same directory as "scalpel.exe".
For using scalpel in Linux we have to change the configuration file of the scalpel which is located at /etc/scalpel/scalpel.conf and remove the hashes from the line where our desired file type is written.
For eg: If I want to find a JPG file I will remove has or Uncomment the line where JPG is written
Then you can check all the options by typing scalpel -h or just scalpel.
Example command: scalpel -b -o /root/Desktop/directory DiskImage.img
Bulk_extractor
bulk_extractor scans a disk image (or any other file) for a large number of pre-defined regular expressions and other kinds of content. When it finds a feature, bulk_extractor writes the output to an output file. Each line of the output file contains a byte offset at which the feature was found, a tab, and the actual feature. Features therefore cannot contain the end-of-line character.
Also, It includes native support for EnCase (.E01) and AFFLIB (.aff) files if it is compiled and linked on a system containing those libraries. Alternatively, the -R option can be used to recursively scan and process a directory of individual files (basically, disk images in such a directory will be treated as files, not as disk images).
bulk_extractor is multi-threaded. By specifying the -j option, multiple copies of the program can be run. Each thread writes its results into its own feature file.
bulk_extractor will also create a wordlist of all the words that are found in the disk image. This can be used as a dictionary for cracking encryption.
Official Link – https://github.com/simsong/bulk_extractor
Bulk_Extractor is pre-installed in Kali Linux.
To build bulk_extractor in Linux or Mac OS:
- Make sure required packages have been installed. You can do this by going into the etc/ directory and looking for a script that installs the necessary packages for your platform.
- Then run these commands:
./configure
make
make installwe can also see all the options and help menu by writing the command “bulk_extractor” or “bulk_extractor -h” in the terminal.
Foremost
Foremost is a console program to recover files based on their headers, footers, and internal data structures. This process is commonly referred to as data carving. Foremost can work on image files, such as those generated by dd, Safeback, Encase, etc, or directly on a drive. The headers and footers can be specified by a configuration file or you can use command line switches to specify built-in file types. These built-in types look at the data structures of a given file format allowing for a more reliable and faster recovery.
Foremost can recover almost every file, like:
- jpg
- gif
- png
- exe
- rar
- zip
- htm
- mp4
How to install?
In Kali Linux/Any Debian based Linux, we have to type command,
sudo apt install foremost
Basically, For any other operating system, we have to download the tar.gz file from the official website and install it according to the operating system.
Official Link – http://foremost.sourceforge.net/
Github – https://github.com/jonstewart/foremost
We can see all the options and flags by typing foremost or foremost -h or man foremost(For Linux) in the terminal.
There are lots of tools for file carving like:
- FTK
- Encase
- PhotoRec
- Revit
- TestDisk
- Magic Rescue
- F-Engrave
Conclusion
I hope you find the above information useful. There are lots of for file carving. But the tools that are mentioned above are trusted by the community and are one of the best tools for File carving. Don’t just download any tool from google and install it because it can be malicious. Always read reviews and check before you proceed.
Resources
Our Blog Page – https://cybervie/blog/
Garry Kesler’s File signatures for IDentifying the type of File from it’s header and Magic number – https://www.garykessler.net/library/file_sigs.html
