In-Place File Carving
File carving is the process of recovering files from an investigative target, potentially without knowledge of the filesystem structure. Current generation file carvers make complete copies of recovered files. Unfortunately, they often produce a large number of false positives — “junk” files with invalid formats that frequently consume large amounts of disk space.
This paper describes an “in-place” approach to file carving, which allows the inspection of recovered files without copying file contents. The approach results in a significant reduction in storage requirements, shorter turnaround times, and opens new opportunities for on-the-spot screening of evidence. Moreover, it can be used to perform in-place carving on local and remote drives.
KeywordsFile carving in-place carving
- B. Carrier, The Sleuth Kit (http://www.sleuthkit.org).
- Digital Forensics Research Workshop (DFRWS), File Carving Challenge —DFRWS 2006 (http://www.dfrws.org/2006/challenge).
- Y. Gao, G. Richard III and V. Roussev, Bluepipe: An architecture for on-the-spot digital forensics, International Journal of Digital Evidence, vol. 3(1), 2004.Google Scholar
- S. Liang, R. Noronha and D. Panda, Swapping to remote memory over InfiniBand: An approach using a high performance network block device, Proceedings of IEEE International Conference on Cluster Computing, 2005.Google Scholar
- P. Machek, Network Block Device (nbd.sourceforge.net).Google Scholar
- G. Richard III and V. Roussev, Scalpel: A frugal, high performance file carver, Proceedings of the Fifth Annual Digital Forensics Research Workshop (http://www.dfrws.org/2005/proceedings/index.html), 2005.
- SourceForge.net, Foremost 1.4 (http://foremost.sourceforge.net), February 4, 2007.
- SourceForge.net, FUSE: Filesystem in Userspace (http://fuse.sourceforge.net).
- SourceForge.net, The Carve Path Zero-Storage Library and Filesystem (ocfa.sourceforge.net/libcarvpath).Google Scholar
- The Linux NTFS Project (http://www.linux-ntfs.org).
- D. Tingstrom, V. Roussev and G. Richard III, dRamDisk: Efficient RAM sharing on a commodity cluster, Proceedings of the TwentyFifth IEEE International Performance, Computing and Communications Conference, 2006.Google Scholar