In-Place File Carving

  • Golden RichardIII
  • Vassil Roussev
  • Lodovico Marziale
Part of the IFIP — The International Federation for Information Processing book series (IFIPAICT, volume 242)

Abstract

File carving is the process of recovering files from an investigative target, potentially without knowledge of the filesystem structure. Current generation file carvers make complete copies of recovered files. Unfortunately, they often produce a large number of false positives — “junk” files with invalid formats that frequently consume large amounts of disk space.

This paper describes an “in-place” approach to file carving, which allows the inspection of recovered files without copying file contents. The approach results in a significant reduction in storage requirements, shorter turnaround times, and opens new opportunities for on-the-spot screening of evidence. Moreover, it can be used to perform in-place carving on local and remote drives.

Keywords

File carving in-place carving 

References

  1. [1]
    B. Carrier, The Sleuth Kit (http://www.sleuthkit.org).
  2. [2]
    Digital Forensics Research Workshop (DFRWS), File Carving Challenge —DFRWS 2006 (http://www.dfrws.org/2006/challenge).
  3. [3]
    Y. Gao, G. Richard III and V. Roussev, Bluepipe: An architecture for on-the-spot digital forensics, International Journal of Digital Evidence, vol. 3(1), 2004.Google Scholar
  4. [4]
    S. Liang, R. Noronha and D. Panda, Swapping to remote memory over InfiniBand: An approach using a high performance network block device, Proceedings of IEEE International Conference on Cluster Computing, 2005.Google Scholar
  5. [5]
    P. Machek, Network Block Device (nbd.sourceforge.net).Google Scholar
  6. [6]
    G. Richard III and V. Roussev, Scalpel: A frugal, high performance file carver, Proceedings of the Fifth Annual Digital Forensics Research Workshop (http://www.dfrws.org/2005/proceedings/index.html), 2005.
  7. [7]
    SourceForge.net, Foremost 1.4 (http://foremost.sourceforge.net), February 4, 2007.
  8. [8]
    SourceForge.net, FUSE: Filesystem in Userspace (http://fuse.sourceforge.net).
  9. [9]
    SourceForge.net, The Carve Path Zero-Storage Library and Filesystem (ocfa.sourceforge.net/libcarvpath).Google Scholar
  10. [10]
    The Linux NTFS Project (http://www.linux-ntfs.org).
  11. [11]
    D. Tingstrom, V. Roussev and G. Richard III, dRamDisk: Efficient RAM sharing on a commodity cluster, Proceedings of the TwentyFifth IEEE International Performance, Computing and Communications Conference, 2006.Google Scholar

Copyright information

© International Federation for Information Processing 2007

Authors and Affiliations

  • Golden RichardIII
    • 1
  • Vassil Roussev
    • 2
  • Lodovico Marziale
  1. 1.Electrical EngineeringAir Force Institute of TechnologyWright-Patterson AFB
  2. 2.Computer ScienceUniversity of New OrleansNew Orleans

Personalised recommendations