There are two kinds of people in this world those with automated forensics tools and those who carve files, this post is for the second kind. Digital forensics like other branches of forensics science relies of artefacts and the effects of those artefacts on an environment, hopefully the presence or absence of these artefacts help prove or determine an event occurred, I’ll explore this much more in further posts but for this post I will focus explicitly on File Carving.
So what is File Carving?
In layman’s terms File Carving is the process of taking “chunks” of data out of disk images, memory dumps, packet captures basically files or data in a raw state. In most cases the way this is done is by looking for recognisable signatures in file dumps which look like garbage to the untrained eye.
So why carve Files?
File carving can often be time consuming and tedious, however the basic concepts of file carving are important corner stones of data recovery and Computer Forensics, if you don’t know how to carve files I highly recommend you start now, even though it can be time consuming and tedious it’s an important skill to have and hopefully as this post will show not that hard either.
What I used?
I performed the majority of the File Carving for this post on Windows where I used HxD. On Mac OSX I used iHEX and on Linux I used BLESS Hex Editor. They can all be found here:
- Hxd: http://mh-nexus.de/en/hxd/
- iHEX: https://itunes.apple.com/au/app/ihex-hex-editor/id909566003?mt=12
- BLESS: http://home.gna.org/bless/
|.Jpeg/jpg||FF D8||FF D9|
So to find a .jpg/jpeg file you need to locate the header which starts with the Hex values FF D8 and its footer FF D9
You can extract the image by selecting all of the data from FF D8 to FF D9 using the hex editors Built in selector
Once you have the file paste it into a new file and try opening it. As you can see we have successfully pulled a file out of a bunch of raw data. Here’s what the finished product looks like:
|25 50 44 46 2D 31 2E||25 25 45 4F 46|
So to find a .pdf file you need to locate the header which starts with the Hex values 25 50 44 46 2D 31 2E and its footer 25 25 45 4F 46. Much like above you can extract the image by selecting all of the data from the header to the footer using the hex editors Built in selector:
Paste that selection into a new file and presto – you have your .pdf file:
|.zip||50 4B 03 04 14||50 4B 05 06 00|
.zip’s are always interesting chiefly because they allow you to uncover more files! To extract a .zip it’s the same process as the above two examples (with a different header and footer) to get your .zip file:
A handy tip is to work with Linux or UNIX when manipulating .zip files it seems to handle this much better than windows
Where can I find examples to practice on?
The internet contains a vast treasure trove of great examples you can practice your file carving skills on of this includes things like .pcap files, disk images, and hex dumps. Here are some of the best places to find examples:
The example I used for this post came from here.
Some other great resources
Here are some other great resources on File carving:
As you can see from above File Carving is an extremely useful skill to have and I think the greatest perk of file carving is that it doesn't matter what disk image or .pcap file you come across you have the skills to open it up and extract its files like its nobody’s business. I plan on releasing a follow-up post where I run through this example set with some automated tools.
Please let me know if found this article useful or if you didn't, leave a comment below to let me know another area you would be interested in reading posts about. As always thanks for your continued support!