IT 4100 : Forensics


Dr Joe Francom


Comprises 4 things:


Capture information (collection)

Plenty of free images to analyze at, or we can create our own

Grab Mine


What is data carving?

Data Carving is a data recovery search technique. It allows for users to recover data with no file system allocation information to be extracted by identifying clusters and sectors belonging to the file. Data Carving searches through the raw sectors looking for specific desired file signatures. Having no allocation information means that the investigator must specify a block size of data to carve out when a matching file signature is located. Given this, the beginning of the file is still present and there is a risk of numerous false hits. Data Carving also requires that the files recovered be located in sequential sectors as there is no allocation information to point to fragmented file portions. This method can be time and resource intensive. -ref

Tools to data carve

How does it work

If we don’t have the signature, we can’t get it.

Anti forensics tools