WEBVTT 0:00:09.580000 --> 0:00:12.240000 So let's talk a little bit about file carving. 0:00:12.240000 --> 0:00:18.680000 First question you probably has is, what is file carving exactly? 0:00:18.680000 --> 0:00:25.760000 To put this simple, file carving is the process of extracting files that 0:00:25.760000 --> 0:00:30.740000 are not accessible to the user in an attempt to reassemble them. 0:00:30.740000 --> 0:00:34.140000 Typically this is going to be done to recover files that have been deleted 0:00:34.140000 --> 0:00:36.580000 but not overwritten. 0:00:36.580000 --> 0:00:40.980000 To simplify that even further, it's what it says up here on the screen. 0:00:40.980000 --> 0:00:44.600000 File carving is the process of extracting files that are not accessible 0:00:44.600000 --> 0:00:50.840000 to the user. So why exactly is this necessary? 0:00:50.840000 --> 0:00:56.680000 Well we can go through this process whenever the file is not available 0:00:56.680000 --> 0:00:58.760000 again for some reason. 0:00:58.760000 --> 0:01:03.320000 Either the operating system can't see it or when you do a forensic extraction 0:01:03.320000 --> 0:01:09.680000 it's been deleted or maybe the MBR or the file system has been damaged. 0:01:09.680000 --> 0:01:12.140000 So why is file carving necessary? 0:01:12.140000 --> 0:01:16.460000 Well we can carve out our files whenever that file system cannot provide 0:01:16.460000 --> 0:01:18.980000 access to it natively. 0:01:18.980000 --> 0:01:23.880000 What that means is that you know the file it may be deleted but it could 0:01:23.880000 --> 0:01:28.840000 also be that the file system itself that could be corrupted or the disk 0:01:28.840000 --> 0:01:31.000000 might have some damage to it. 0:01:31.000000 --> 0:01:37.680000 So what we're doing when we carve out that file is that we're going to 0:01:37.680000 --> 0:01:43.300000 utilize certain strategies to locate a file and pull the data out of the 0:01:43.300000 --> 0:01:46.920000 file. And those strategies are going to be we're going to do file header 0:01:46.920000 --> 0:01:51.540000 carving. We're going to carve for the header and the footer or the footer 0:01:51.540000 --> 0:01:55.800000 of a file and then we're going to maybe parse through the file structure 0:01:55.800000 --> 0:01:58.940000 and carve out the file through that structure. 0:01:58.940000 --> 0:02:02.580000 Or we're going to look at metadata and see if metadata gives us any clues 0:02:02.580000 --> 0:02:04.480000 as to the file structure. 0:02:04.480000 --> 0:02:09.660000 Now what we mean like when we look at file header the tool or even the 0:02:09.660000 --> 0:02:17.300000 examiner can sort through the file, the data on the disk and look for 0:02:17.300000 --> 0:02:22.300000 common bits and bytes that we call file headers. 0:02:22.300000 --> 0:02:27.420000 So that's going to be a unique signature that identifies what type of 0:02:27.420000 --> 0:02:29.920000 file we are looking at for a user. 0:02:29.920000 --> 0:02:32.400000 And then if we're looking for headers and footers again we're looking 0:02:32.400000 --> 0:02:34.340000 for known structures to files. 0:02:34.340000 --> 0:02:38.260000 We know that a lot of files have a certain type of file header and then 0:02:38.260000 --> 0:02:42.860000 we have a certain type of byte that signifies the end of the file which 0:02:42.860000 --> 0:02:44.200000 is the footer of a file. 0:02:44.200000 --> 0:02:47.660000 And so what we will do is we will try and carve out all the data between 0:02:47.660000 --> 0:02:53.680000 the header and between the footer of that file and then see if we can 0:02:53.680000 --> 0:02:55.980000 extract the data out of the file. 0:02:55.980000 --> 0:02:59.600000 Metadata file carving in a sense we're looking at the metadata of the 0:02:59.600000 --> 0:03:03.860000 file, the descriptive information that the file was given upon creation 0:03:03.860000 --> 0:03:06.520000 and to see if we can pull it out here. 0:03:06.520000 --> 0:03:12.000000 Now there are a few requirements when we are looking at carving files 0:03:12.000000 --> 0:03:17.040000 and here we go. Where do we have difficulties when we're carving files 0:03:17.040000 --> 0:03:21.260000 and those difficulties are going to occur when a file is compressed? 0:03:21.260000 --> 0:03:27.780000 It's going to have problems when a file has been overwritten and sometimes 0:03:27.780000 --> 0:03:33.800000 especially if the file system is damaged we're going to have trouble carving 0:03:33.800000 --> 0:03:42.380000 a file if the files are not sitting in consecutive or contiguous clusters. 0:03:42.380000 --> 0:03:49.780000 Even still you need to think that file carving can be very time consuming 0:03:49.780000 --> 0:03:52.800000 and it may not produce useful evidence. 0:03:52.800000 --> 0:03:57.480000 Luckily most forensic tools support some degree of automated carving. 0:03:57.480000 --> 0:04:00.800000 The results may not be perfect but they can get you there and they can 0:04:00.800000 --> 0:04:04.660000 get you to a good start. 0:04:04.660000 --> 0:04:09.100000 Sometimes you can do file carving as a secondary task in our forensic 0:04:09.100000 --> 0:04:14.140000 tools so you can begin some of your case investigations and looking at 0:04:14.140000 --> 0:04:18.800000 what's going on in the file system as file carving is still happening 0:04:18.800000 --> 0:04:19.640000 in the background. 0:04:19.640000 --> 0:04:25.680000 They'll do realize that that file carving in the background and file carving 0:04:25.680000 --> 0:04:30.140000 in general can be very resource intensive on your system.