Carving contiguous and fragmented files with fast object validation
Garfinkel, Simson L.
MetadataShow full item record
"File carving" reconstructs files based on their content, rather than using metadata that points to the content. Carving is widely used for forensics and data recovery, but no file carvers can automatically reassemble fragmented files. We survey files from more than 300 hard drives acquired on the secondary market and show that the ability to reassemble fragmented files is an important requirement for forensic work. Next we analyze the file carving problem, arguing that rapid, accurate carving is best performed by a multi-tier decision problem that seeks to quickly validate or discard candidate byte strings -- "object" -- from the media to be carved. Validators for the JPEG, Microsoft OLE (MSOLE) and ZIP file formats are discussed. Finally, we show how high speed validators can be used to reassemble fragmented files.
Showing items related by title, author, creator and subject.
Mikus, Nicholas A. (Monterey, California. Naval Postgraduate School, 2005-03);Disc carving is an essential element of computer forensic analysis. However the high cost of commercial solutions coupled with the lack of availability of open source tools to perform disc analysis has become a hindrance ...
Garfinkel, Simson L. (Monterey, California. Naval Postgraduate School, 2013-12-05);This talk presents new carving and analysis features in tcpflow and bulk_extractor.
Beverly, Robert; Garfinkel, Simson; Cardwell, Greg (2011-08);Using validated carving techniques, we show that popular operating systems (e.g. Windows, Linux, and OSX) frequently have residual IP packets, Ethernet frames, and associated data structures present in system memory from ...