Photorec carver

1.Explain what is file signature and file header.

File signature: File signature or magical number is a uniquely identifying number

present at the beginning of file. In other words, every file type requires a unique signature in

order for system to recognise the file and show it to the end user. These numbers are

responsible for identifying the type of file by giving information about data containing in the

file.

File header: File header give a small amount of information about the file in the

beginning of the file. It varies between different file formats but they generally specify the

attribute of the file. For example, a jpeg file header consists of image format, color profile

etc.

2 Explain what Data Carving is and describe Data Carving techniques

Data Carving: data carving also known as File Carving is a computer forensic

technique used to extract data from a disk drive or any other storage device with out the help

of file system that was originally created at the beginning of file. This is a technique used to

recover files from unallocated space without knowing any information of the file and is used

for forensic investigation.

Data carving techniques:

Block-Based Carving: In this method it analyzes the input data block-by-block to determine

weather the block is possibly a part of the possible output

Statistical Carving: This method analysis the input data on characteristic or statistic to

determine weather the possible output file is a part of input file

Header/Footer Carving: A method used for carving file from a raw data using distinct

header and distinct footer

Header/Maximum size Carving: A method in which we use a distinct header to extract file

from raw data and maximum size. This approach works as file format do not care about the

additional junk to the end of file.

Carving with Validation: A method from which carving the file from raw data where the

file is validated using file type specific validator.

Fragment Recovery Carving: A method in which we use two or more fragments,

reassembled to form original file or object.

Repackaging Carving: A method which in which we add extra data by adding new headers,

footers, or other information so it can be viewed with standard utilities is called repackaging

carving.

3.Import two dd image files extracted from bz2 files to Autopsy and run ‘Ingest

Module’ on ‘PhotoRec Carver.'

a) List all carved files from each dd image file.

b)Choose a carved file from both dd images that has a same extension and file size.

Show the header value indicating file size in Hex.

c)Do you think that these 2 files are originally same or not? Why?

By checking all the information like hexa value and strings about the images i came

to conclusion that they are originally same as both files have same file signature (offset 0 –

424D and shows BM in description) same file size (offset 2- 004E0062 in hex value) and also

the image data which is same for both the files. By the above information I can conclude that

both the files are originally same but image file L2_Graphic dd has been modified as ther

4.Using TrID, find each extension of all files extracted from 'unnamed.zip.'