File carving
File carving (aka carving) is defined as "the practice of searching an input for files or other kinds of objects based on content, rather than on metadata... for recovering files and fragments of files". The input from a digital forensic perspective is either an image of a disk or packet dumps.
Foremost is the tool of choice for forensic analyst wanting to recover evidence from disk images. tcpxtract is a tool designed for extracting files from captured network traffic. I installed tcpxtract onto my Ubuntu 8.10 system. I captured the packets of an FTP session where I transferred an image from one host to another. I ran tcpxtract against the pcap file to extract the said transferred image. Viola!!!
The high res version of this demo can be downloaded here.
Foremost is the tool of choice for forensic analyst wanting to recover evidence from disk images. tcpxtract is a tool designed for extracting files from captured network traffic. I installed tcpxtract onto my Ubuntu 8.10 system. I captured the packets of an FTP session where I transferred an image from one host to another. I ran tcpxtract against the pcap file to extract the said transferred image. Viola!!!
The high res version of this demo can be downloaded here.
Comments
Post a Comment