Abstract
File carving is the process of recovering files from an investigative target, potentially without knowledge of the filesystem structure. Current generation file carvers make complete copies of recovered files. Unfortunately, they often produce a large number of false positives — “junk” files with invalid formats that frequently consume large amounts of disk space.
This paper describes an “in-place” approach to file carving, which allows the inspection of recovered files without copying file contents. The approach results in a significant reduction in storage requirements, shorter turnaround times, and opens new opportunities for on-the-spot screening of evidence. Moreover, it can be used to perform in-place carving on local and remote drives.
Chapter PDF
Similar content being viewed by others
Keywords
References
B. Carrier, The Sleuth Kit (http://www.sleuthkit.org).
Digital Forensics Research Workshop (DFRWS), File Carving Challenge —DFRWS 2006 (http://www.dfrws.org/2006/challenge).
Y. Gao, G. Richard III and V. Roussev, Bluepipe: An architecture for on-the-spot digital forensics, International Journal of Digital Evidence, vol. 3(1), 2004.
S. Liang, R. Noronha and D. Panda, Swapping to remote memory over InfiniBand: An approach using a high performance network block device, Proceedings of IEEE International Conference on Cluster Computing, 2005.
P. Machek, Network Block Device (nbd.sourceforge.net).
G. Richard III and V. Roussev, Scalpel: A frugal, high performance file carver, Proceedings of the Fifth Annual Digital Forensics Research Workshop (http://www.dfrws.org/2005/proceedings/index.html), 2005.
SourceForge.net, Foremost 1.4 (http://foremost.sourceforge.net), February 4, 2007.
SourceForge.net, FUSE: Filesystem in Userspace (http://fuse.sourceforge.net).
SourceForge.net, The Carve Path Zero-Storage Library and Filesystem (ocfa.sourceforge.net/libcarvpath).
The Linux NTFS Project (http://www.linux-ntfs.org).
D. Tingstrom, V. Roussev and G. Richard III, dRamDisk: Efficient RAM sharing on a commodity cluster, Proceedings of the TwentyFifth IEEE International Performance, Computing and Communications Conference, 2006.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2007 International Federation for Information Processing
About this paper
Cite this paper
Richard, G., Roussev, V., Marziale, L. (2007). In-Place File Carving. In: Craiger, P., Shenoi, S. (eds) Advances in Digital Forensics III. DigitalForensics 2007. IFIP — The International Federation for Information Processing, vol 242. Springer, New York, NY. https://doi.org/10.1007/978-0-387-73742-3_15
Download citation
DOI: https://doi.org/10.1007/978-0-387-73742-3_15
Publisher Name: Springer, New York, NY
Print ISBN: 978-0-387-73741-6
Online ISBN: 978-0-387-73742-3
eBook Packages: Computer ScienceComputer Science (R0)