Data Carving Issues

by Chetan Gupta, NII Consulting

Many a times as an investigator, I have to deal with the issue of carving data from
unallocated spaces in a partition. There are many commercial data carving tools such as Encase, Winhex, Accessdata FTK, DataLifter, ILookInvestigator. Well, I have tried most of these and must say most of them have their share of pros and cons. Encase has the widest range of file types supported and also gives the ability to add more file types (you need to know the header and footer for sure). But if the file system is heavily fragmented, then data carving becomes less effective.
There are three main issues with data carving:

1. Most of the tools would be able to find the header but the footer may not be found in the same or the consecutive cluster. Then, the file would be carved with the minimum file size specified by the investigator. Thus, the carved files may contain some gibberish at the end or may be incomplete and therefore unviewable.

2. The names of the carved files cannot be ascertained as the Master File Table or Superblock (in Linux) are not used during data carving process.
3. As data carving is based on guess work, results may include many false hits and thus data carving may not be as reliable as required. Footer analysis and discarding overlapping file signatures may help reduce this problem.

Depending upon the situation, the investigator can choose his tool for carving. However, he must understand the capabilities of the tool and the file signatures supported by it. in my experience, Encase V5 has the most extensive signature database for carving among all tools. Foremost, Scalpel and Winhex allow you to add custom signatures to the tool which is extremely useful. Sadly, FTKv1.50 doesn’t support adding additional signatures. Not sure, if they have added this capability in the coming versions.

Running foremost is pretty easy under Linux:

# foremost -T -t all -o Output_directory -i input_file
-T — Put unique timestamp in the output directory name
-t — File types to be carved. The file types supported can be tweaked by using the -c option and specifying the configuration file

The syntax of Scalpel is almost similar to that of foremost with minor changes. However, it makes two passes over the unallocated data – the first pass in which it tries to identify the files and the second pass in which it actually carves out the file. My experience with scalpel hasn’t been great as with large files it would stop midway in the second phase throwing up some error.

Two interesting tools of note are filesig and headergrab which are both available here.
From the horse’s mouth:
Filesig Manager is a file signature and keyword management tool, acting as an examiners central repository of File Indentification information.
The information within can be readily exported to the majority of mainstream forensic examination tools. Some of the features to date include:

* Export to Datalifter (Standard and Adv Signatures).
* Export to DiskCat.
* Export to File Extractor Pro.
* Export to Encase version 3 and 4.
* Export to iLook.
* Export to ProDiscover.
* Export to Simple Carver.
* Export to WinHex Forensic.

Header Grab:
Header Grab is a research tool, which allows the user to quickly extract the first eight bytes and last four bytes from every file within the specified folder.
This is interesting as by generating few starting and ending bytes from multiple files of same type, we can identify the actual header and footer for the file type and is very useful in creating your own signature database!

They are available for free download at http://www.filesig.co.uk

For efficient data carving, the tools need to have built-in intelligence to identify the boundaries of a file. If the file is fragmented then it needs to have a mechanism to find the remaining fragment either by a hit and trial method (checking all the remaining clusters for the fragments of the file which may be highly time consuming) or by making intelligent guesses ( Eg checking the next 10 clusters for the remaining fragments of the file first and looking for the specific type of data associated with the file type for eg different segment headers of the file as in a Word Document) and then testing the resultant file.

A significant step towards solving these issues was taken by Digital Forensic Research Workshop (DFRWS) when they organized a data carving challenge available here. The challenge threw up some interesting results and some new tools by various researchers.

Happy data carving!

Author


3 comments

Thanks for this info, i’m doing a project on data carving, i was wondering if u can suggest any good open source tools i can use. Thanks.
Wise

Can you suggest any methodology to recover the traces of wiped data on hard drive..??

thanks for the info, can i know how to do the tools of data carving and its algorithms? thanks

Leave a Reply

Your email address will not be published. Required fields are marked *