In-place File Carving

Full Text

In-place File Carving, IFIP 2007

Abstract

File carving is the process of recovering files from an investigative target, potentially without knowledge of the file system structures. The process is based on information about the format of the file types of interest, as well as on assumptions about how files are typically laid out on block devices. If the filesystem metadata is used at all, it is typically used only for establishing cluster sizes and avoiding carving of undeleted files (which can be extracted without file carving).

Current generation file carvers make copies of recovered files. Unfortunately, it is common to end up with a large volume of false positives during a file carving operation. These false positives are “junk” files that have invalid formats and can consume a large amount of disk space. In this paper, we present an in-place approach to file carving, which allows inspection of recovered files without actually copying file contents. This results in significant reduction in storage requirements (even in pathological cases), much shorter turnaround times, and opens up new opportunities to perform on-the-spot screening of evidence. Our system can perform in-place carving on both local and remote drives.