File Recovery and Data Carving with Foremost, Scalpel, and Bulk Extractor

Now that we’ve learned how to create forensic images of evidence, let’s take a look at the file recovery and data carving process using Foremost, Scalpel, and Bulk Extractor.

When we last covered filesystems, we saw that various operating systems use their own filesystems to be able to store, access, and modify data. So too, storage media use filesystems to do the very same.

Metadata, or data about data, helps the operating system identify the data. Metadata includes technical information, such as the creation and modification dates, and the file type of the data. This data makes it much easier to locate and index files.

File carving retrieves data and files from unallocated space using specific characteristics such as file structure and file headers, instead of traditional metadata created by, or associated with, filesystems.

As the name implies, unallocated space is an area of storage media that has been marked by the operating system or file table as empty or unallocated to any file or data. Although the location of, and information about, the files are not present and sometimes corrupted, there are still characteristics about the file that reside in its header and footer that can identify the file or even fragments of the file.

Even if a file extension has been changed or is missing altogether, file headers contain information that can identify the file type and attempt to carve the file by analyzing header and footer information. Data carving is quite a lengthy process and should be done using automated tools to save time. It also helps if the investigator has an idea of what file types they are looking for, to have a better focus and to save time. Nevertheless, this is forensics and we know that time and patience are key.

Some common file types, as displayed in hexadecimal format within the file headers, include:

  • Joint Photographic Experts Group (JPEG):  FF D8 FF E0
  • Portable Document Format (PDF):  25 50 44 46

While more on analysis of files and headers will be looked at in later chapters, let’s have a look at three tools for data carving in Kali Linux.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset