Carver

From Digital Forensics Framework
Jump to: navigation, search

The carver is designed to search for file headers within a given data. It can be considered as a kind of a "blind" search. For example, the carver can be used to search for .jpeg headers on a hard disk drive or on a partition to try rebuilding pictures without using file systems data and metadata. Carving can be a slow operation, as far as areas to carve can be be big : the bigger, the longer.

Contents

Starting the carver

As for other modules, we will need to select the node we want to carve, right click on it and select the menu Open with -> Search -> carver-gui. Please that there also is a carver called carver-ui : this carver can be used in command line interface, contrary to the carver-gui which comes with a graphic interface.

Configuration

The main window of the carver looks like this :

Carver.png

The left part of the window is dedicated to the carver configuration, and the right part to the carver state.

On the left, in the tab Predefined patterns, you must select what kind of predefined patterns the carver will search for and check the corresponding check-boxes. They are grouped by categories, each categories contain at least one file format. The list of the different categories with the associated file extensions are given below :

  • mail : idx, ostm dbx, aolmail, mbx, pst
  • pgp : pgp, txt, pgd
  • animation : fws
  • document : doc, htm, txt, wpc, pdf
  • images : art, jpg, gif, bmp, tif, png
  • registery : dat
  • archiver : zip
  • package : rpm
  • audio : wav, ra
  • vm : java
  • videos : mpg, avi, mov

If, for a given type, the check box footer block aligned is checked, the carver will search for data footer only if they are aligned. This can speed up the search, but hide some results.

The User defined tab allows you to define your own headers or footers so the carver will search for them. An example is given below.

Carver categories.png

Here, we indicate to the carver that we want search for files that are of type sometype and that their header and footers are respectively someheader and somefooter.

Carver usr def.png

Once this is done, you just have to click on the Add button.

When you are done with theses few configurations steps, you can start the carver by clicking on the Start button. Note that in the Start offset field you can manually specified at which offset you want the search to start (0 by default).

While the carver is running, a status bar will be displayed. You can stop the carver during its execution by clicking on the Stop button. The estimated execution time and elapsed time since the carver started will also be displayed so you can have an idea of how much time it will take.

The number of found headers is visible at the bottom of the carver window.

Carver run.png

Results

When the carver is done, a node will be created as a child of the node you carved. This new node is called Carved and contains sub nodes for each type of headers found.

In the example screen-shot on the right, the carved node was Part 3 and we were searching for animations and videos headers.

While carving, this is not always possible to retrieve intact entire files. Some files can be broken : this is indicated by the a broken file icon.

Broken file.png

If you launch the carver several times on the same node, several Carved directories will be created.

Carver result.png
Retrieved from "http://wiki.digital-forensic.org/index.php/Carver"