0

So I'm very new to info sec overall but I would say I am least experienced in Digital forensics, anyway I recently had the opportunity to work with professionals and we did manual file carving.

This was all fine and I could pull regular JPG Images out of hex easily and quickly. However I have only once been able to successfully pull out jpg that contains exif data. I'm wondering if anyone has any tips and tricks for manual file carving these types of files (will also accept tips on scalpel ) as I am so fascinated by digital forensics and want to learn so much more.

Thanks in advance!

Glegan
  • 1
  • 2
  • There's no special trick I known of, just carve them the same you would any JPEG. Look for both the header and the footer to try to make sure you have as much of the file as possible. For recently created/deleted file there should be not issue and the exif data should be easy to recover. For long-ago deleted files then there's more of a chance that some once-allocated cluster got over-written. – hft Aug 03 '18 at 00:45
  • This was useful thanks, I must just have multiple jpg from different drives where it's had data writen over parts of it. Thanks – Glegan Aug 03 '18 at 07:01

2 Answers2

1

File Carving Tools: There are several paid and free forensics tools available. For instance, Autopsy is an open source digital forensic tool and it does pretty good job in file carving. It has different type of viewer builtin like text view, string view, hex view and meta view. You can also perform keyword searches. (check their official website for detailed list of features/options available)

There are two other choices available for image carving. The first is the open source photorec. The second is the commercial tool Adroit Photo Forensics. Adroit will recover files that are fragmented and does a better job eliminating false positives, but it is pricey. In all likelihood you'll be fine with photorec.

Carving with Scalpel: This type of carving requires in-depth understanding of file types and their behavior for example a pdf file starts with %PDF and ends with %EOF while a jpeg image file begins with 0xFFD8 and ends with 0xFFD9 Now with this information, you can configure scalpel to extract JPG/PDF files.

Atlas_Gondal
  • 154
  • 3
  • Thanks for the info on Adroit and photorec. I'd used autopsy and scalpel before but I think it's useful to be able to do it manually. – Glegan Aug 03 '18 at 06:59
1

If you are looking to manually carve files then you will have to look at them in hex, and be vigilant for the headers and footers of the files. The header is always FF D8 FF, which signifies the start of a JPG file, and the footer of this file is FF D9, which shows the end of the file.

It is common for people to use a technique called steganography, which involves hiding one type of file inside another, eg. hiding secret messages in JPG / PNG files is quite common. But if you know to look for the headers and footers of the files, then you will be able to differentiate between them.

If you would like some more information on this I actually wrote a couple of papers in college that deal with forensics and manually going through a file system (NTFS / FAT) to extract files. If there of any use to you they can be found here.

If you have any questions about this leave a comment and I'll edit this response to answer your questions.

Connor J
  • 1,464
  • 8
  • 11
  • Thanks for your answer. Ive had lots of success with other files and had also extracted lots of different files from systems previously some ofwhich included steganography. It was only jpg with exif data I was having troubles with. Thanks for the link to the papers. More info on different methods is always useful. – Glegan Aug 03 '18 at 06:57