File carving

File carving (aka carving) is defined as "the practice of searching an input for files or other kinds of objects based on content, rather than on metadata... for recovering files and fragments of files". The input from a digital forensic perspective is either an image of a disk or packet dumps.
Foremost is the tool of choice for forensic analyst wanting to recover evidence from disk images. tcpxtract is a tool designed for extracting files from captured network traffic. I installed tcpxtract onto my Ubuntu 8.10 system. I captured the packets of an FTP session where I transferred an image from one host to another. I ran tcpxtract against the pcap file to extract the said transferred image. Viola!!!
The high res version of this demo can be downloaded here.
at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

dnssecaudit.py

Since I was on a roll with Copilot, I decided to automate DNSSEC auditing with the following Python script. Not the most creative tool name....

  • "An error occured in avast! engine: Invalid argument"
    This annoying message popped up after I ran the update in avast! in Ubuntu yesterday. avast! crashes every time I attempt to launch it after...
  • Encrypted mails
    I decided to install a digital certificate for my Gmail account. This is simple and free to set up. Apply for a free certificate from Comod...