File carving

File carving (aka carving) is defined as "the practice of searching an input for files or other kinds of objects based on content, rather than on metadata... for recovering files and fragments of files". The input from a digital forensic perspective is either an image of a disk or packet dumps.
Foremost is the tool of choice for forensic analyst wanting to recover evidence from disk images. tcpxtract is a tool designed for extracting files from captured network traffic. I installed tcpxtract onto my Ubuntu 8.10 system. I captured the packets of an FTP session where I transferred an image from one host to another. I ran tcpxtract against the pcap file to extract the said transferred image. Viola!!!
The high res version of this demo can be downloaded here.
at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

VM for ransomware investigations

 My laundry list of tools/software useful when investigating ransomware cases.   Tor: Obviously need this to access Onion sites. qBittorrent...

  • "An error occured in avast! engine: Invalid argument"
    This annoying message popped up after I ran the update in avast! in Ubuntu yesterday. avast! crashes every time I attempt to launch it after...
  • Zbot
    Downloaded a sample of "Zbot" from Offensive Computing's site . I'm no reverse engineering guru but decided to give it a ...