| Forensic Functionality: | File Carving |
|---|
| Description: | Searching for and reconstructing files based on content, rather than file system metadata. See http://www.forensicswiki.org/wiki/File_Carving, "The Evolution of File Carving" http://digital-assembly.com/technology/research/pubs/ieee-spm-2009.pdf Pal and Memon and "Carving contiguous and fragmented files with fast object validation" dfrws.org/2007/proceedings/p2-garfinkel.pdf Garfinkel for more information. |
|---|
| Technical Parameters: |
|---|
|
Windows |
graphics (e.g., jpg, png, bmp, gif) |
support for adding/defining custom file types |
support for carving on byte boundaries |
support for header/footer-based carving - carving files using a distinct header and footer |
integrated file viewer/file preview |
|
Linux |
audio (e.g., mp3, wav, au, wma) |
custom file types not supported |
support for carving on sector boundaries |
support for header/maximum size carving - carving files using a distinct header and maximum file size |
no integrated file preview/file viewer |
|
Mac |
video (e.g., mp4, avi, mov, flv) |
|
support for carving on cluster boundaries |
support for file structure-based carving - carving files using a certain level of knowledge of the internal structure of file types |
|
|
|
documents (e.g., doc, xls, ppt, pdf) |
|
|
support for carving fragmented files - two or more fragments are reassembled to form the original file |
|
|
|
archives (e.g., 7z, bz2, zip, tar) |
|
|
support for carving with file type validation - carved files are validated using a file type specific validator |
|
|
|
MIME (e.g., EML, Mbox) |
|
|
|
|
