NASS Digital Forensics Lab

File Carving

This Forensics Lab introduces you to file carving. File carving is an incredibly useful skill to have in the world of digital forensics. It basically means recovering files (data) from a physical storage device after the files have been deleted, the device has been erased, or the device has been damaged. At this point, the data on the device just looks like a sequence of "raw bytes" — meaning a sequence of bytes without any information as to where any file(s) begins or ends in the sequence of bytes.

To carve a file from a block of bytes, you'll need to look for the header (and, depending on the file type, the footer) of the file. For example, the header (in hex) for a PNG file is 89 50 4E 47 and the footer is 49 45 4E 44 AE 42 60 82. Below we have an example of a chunk of unallocated space from a drive. Looking carefully, we spot a PNG header (starting at offset 10) and, following it, a PNG footer (ending at offset 42), therefore we deduce a PNG file is at the offset from 10 to 42.

Block of unallocated space from a drive
										PNG header				body																					PNG footer
7E	93	57	6D	51	e9	05	6d	ff	67	89	50	4e	47	0d	0a	1a	0a	00	00	00	0d	49	48	44	52	54	78	9c	62	60	01	00	00	00	49	45	4e	44	ae	42	60	82	3d	69	c4	82	81	f0	6f	61	e4	40	4b	b4	34	2f	2E	BB
00	01	02	03	04	05	06	07	08	09	10	11	12	13	14	15	16	17	18	19	20	21	22	23	24	25	26	27	28	29	30	31	32	33	34	35	36	37	38	39	40	41	42	43	44	45	46	47	48	49	50	51	52	53	54	55	56	57	58

  Question 1.  

File Carving Activity Starts ...
Navy Seals have recovered a hard drive from a bad guy's computer. Your job is to find data that will uncover the sinister plot. In order to do that you will need to recover deleted files from the raw bytes of a recovered disk image:

1. To start with, let's review a basic file format. The Joint Photographic Experts Group (JPEG) format gives us files with a .jpg extension. This file type has a very distinctive header and footer.
   • Header in hex: ff d8 ff e0
   • Footer in hex: ff d9
2. Create a directory on the computer desktop by minimizing all windows and right clicking and select new->folder. Name this folder your first initial and last name.
3. Save the following file into your newly created directory To save the file right-click on: Bad Guys Hard Drive.
4. Using frhed, open the saved file. Can you see the JPG header in the file anywhere? Not easily!
5. Press Ctrl-f and enter a search for the header in hex by typing <bh:ff><bh:d8><bh:ff><bh:e0> into the search prompt. The bh is specifying you want to search for the byte specified in hex. When the bytes are located, they will all be highlighted in frhed. Do not use uppercase hex characters.
6. At the bottom of frhed the byte offset (in hex and in decimal) is given (i.e. offset 245=0xf5). The 245 in this example is the offset in decimal, the 0x in front of the f5 is simply indicating that this equivalent offset is in hex. In other words, 245 in decimal = f5 in hex. Write down the decimal and hex offsets (the location relative to the start of the file, which is shown at the bottom left of the frhed window) of the first byte of the header and the last byte of the header on your worksheet.
7. You can follow the same process for the footer.
   You can specify the search to look up or down from the current cursor location in frhed.
8. Once you have the header and footer located, i.e. you know their offsets, now it is time to carve (copy) the entire file from the start of the header to the end of the footer. To do this:
   • Select Edit ⇒ Copy, and enter the start and ending offsets for the entire file. If you enter decimal values, just the value is entered. If you want to enter the hex value, you must include the x before the hex value to tell frhed the entered offset is hex.
   • Select File ⇒ New to create a new document.
   • Select Edit ⇒ Paste, choosing the option to Insert (NOT OVERWRITE). Press OK.
   • Choose File ⇒ Save and save as a .jpg file in your forensics directory.
   • Open the file from the file browser to see the image.
9. Your next task is to carve the other two files from the hard drive. You will use the same file carving technique with your hex editor. In this case, one file is a pdf file and the other file is an audio file of the wav format. The information below should help you on your task.

   Remember, if you need to search for the hex values, use this format: <bh:89><bh:50><bh:4e><bh:47> (which searches for a PNG file - you need to change the hex values for the header or footer you are specifically searching for)

   File Format	Header in hex	To Search in fhred	Footer in hex	To Search in fhred
   jpg	ff d8 ff e0	<bh:ff><bh:d8><bh:ff><bh:e0>	ff d9	<bh:ff><bh:d9>
   pdf	25 50 44 46 2d 31 2e (%PDF-1.4)	<bh:25><bh:50><bh:44><bh:46><bh:2d><bh:31><bh:2e>	25 25 45 4f 46 (%%EOF)	<bh:25><bh:25><bh:45><bh:4f><bh:46>
   wav	52 49 46 46 (RIFF)	<bh:52><bh:49><bh:46><bh:46>	NO FOOTER!	-

   Some file formats do not have footers. This can be problematic, but humans are often better than computers at solving this problem. In the case of the audio file, for this lab, the wav file continues to the end of the remainder of bytes. In a real-life file carving scenario, you would hope to see an obvious change in the information in the file. You could also try cutting differing amounts of data into the file, or work backwards from the last byte of the file. However, for this lab, we will tell you that the .wav file encompasses all remaining bytes following the .wav header.