Abstract
File or data carving is a term used in the field of Cyber forensics. Cyber forensics is the process of acquisition, authentication, analysis and documentation of evidence extracted from and/or contained in a computer system, computer network and digital media. Extracting data (file) out of undifferentiated blocks (raw data) is called as carving. Identifying and recovering files based on analysis of file formats is known as file carving. In Cyber Forensics, carving is a helpful technique in finding hidden or deleted files from digital media. A file can be hidden in areas like lost clusters, unallocated clusters and slack space of the disk or digital media. To use this method of extraction, a file should have a standard file signature called a file header (start of the file). A search is performed to locate the file header and continued until the file footer (end of the file) is reached. The data between these two points will be extracted and analyzed to validate the file. The extraction algorithm uses different methods of carving depending on the file formats.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Statistical Disk Cluster Classification for File Carving, Cor J. Veenman. Intelligent System Lab, Computer Science Institute, University of Amsterdam, Amsterdam
Richard, G.G., Roussev, V.: Next-generation digital forensics. Communications of the ACM 49(2), 76–80 (2006)
Boyer, R.S., Moore, J.S.: A Fast String Searching Algorithm. Communications of the Association for Computing Machinery 20(10), 762–772 (1977)
Hamilton, E.: JPEG File Interchange Format, Version1.02.1 (September 1992)
Joint Photographic Experts Group, JPEG 2000 Specification (2004), http://www.jpeg.org/jpeg2000/ (last visited February 2009)
Adobe Systems Incorporated, Portable Document Format Reference Manual Version 1.3 (March 11, 1999)
Naval Postgraduate School Thesis, Monterey, California, Nicholas Mikus (March 2005)
Digital Imaging Group, DIG2000 file format proposal, Appendix A (October 1998)
PKWARE Inc. ZIP File Format Specification Version: 6.2.0 (June 2004)
CompuServe Incorporated, Graphics Interchange Format(sm) (July 1990)
http://www.ntchosting.com/multimedia/gif-graphics-interchange-format.html (June 2009)
Sun Microsystems. OpenOffice, http://www.openoffice.org/ (last Visited December 2009)
Wouters, W.: BMP Format (February 1997)
http://www.forensicswiki.org (last visited: March 2010)
http://www.webopedia.com (last visited: March 2010)
http://www.pkware.com/documents/casestudies/ (last visited: January 2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Povar, D., Bhadran, V.K. (2011). Forensic Data Carving. In: Baggili, I. (eds) Digital Forensics and Cyber Crime. ICDF2C 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 53. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-19513-6_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-19513-6_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-19512-9
Online ISBN: 978-3-642-19513-6
eBook Packages: Computer ScienceComputer Science (R0)