File Carving

9to5cynic

Android Expert
Hey all, I figured this is the most 'right' place for this topic, if I'm wrong please move it to the proper place.

Okay, I'm in a forensics class, and we are starting file carving. For those not in the know, we are using a hex editor to find the header and footer of specific file types within an image of a floppy disk.

My problem comes with the first task, we have to manually find the headers and footers by comparing several files of different types.

Does anyone have tips for this? I am going through five or so files (dll for example) and they all have so many in common. Going through this is taking some time, and I gotta finish this before I can look into the dump of the floppy.


The instructor said that headers and footers are usually the first and last 2-20 bytes, but I'm getting matches well past that. So I really don't know if say, the header should be ending after 6 bytes, or 26.


Any tips or help would be greatly appreciated.
 

9to5cynic

Android Expert
Thread starter
Yeah, we can use whatever program we want, but what I am really looking for is a method of finding these headers and footers manually (might be on a test or something).

I am looking into various linux hex editors right now, tried ghex, but it doesn't have a select range as far as I see, something that would be incredibly helpful for file carving. Anyone have ideas?

(EDIT: Started using hexedit, it's a command line hex editor. Very nice. It has all the features I'm looking for as far as carving goes...)
Still wondering about any tips for finding the headers and footers.
 

9to5cynic

Android Expert
Thread starter
Thanks, checking out those links. I'll just have to wait and see what the instructor says about these file footers. I know I could just google them, and be done with it, but I'd really like to actually do the assignment. (lame)
 

johnlgalt

Antidisestablishmentarian
Here's my take - I Google for information that will help me to better understand the problem - not information that is the answer.

It works much better in the long run - you look up the needed info and then do your work.

If you don't know, for example, that a certain file always has the footer
%------#%%$@bbg
(imaginary example) then how the hell are you going to look for it? So, it's not a justification, it's a matter of fact and a matter of life. People are going online all the time to get info to make better informed decisions - credit reports, health related facts, entertainment choices, shopping advice, etc. - why should this be any different?
 

9to5cynic

Android Expert
Thread starter
Well, we are getting an excel sheet with all the info on it eventually, but the instructor wants us to open several files in a hex editor and analyze them manually. Headers is easier, but I swear I have forty bytes match for the footer, no idea where it starts.

I agree, google for help, not the answer is the way to go.
 

johnlgalt

Antidisestablishmentarian
Ahhh. I see now, you're almost in a pre-test situation, i which you have to see if you can figure out the headers and footers locations / beginning points on your own before receiving the info in the spreadsheet....

Were the types of files specified for you, or are you flying blind?
 

9to5cynic

Android Expert
Thread starter
Nahh.. we have the excel sheet (which was half finished by the instructor) with about 20 files and the homework which has 15 total files, some are repeats though.

I just did the WMV file, and I got 3026b2758e66cf11a6d900aa0062ce6c, but I looked it up online and the website I checked said it stops at 3026b275 or so....

I have no idea know to know where to the header stops and the rest of the file begins. I guess I'll figure that out next class lol.
 

johnlgalt

Antidisestablishmentarian
If you looked at 5 different WMV files then you'd have a basis to compare - the common parts would be the header and the place (position) where it changes would be the beginning of the next part...

Same for every other file....

at least, in theory this should hold true....
 

9to5cynic

Android Expert
Thread starter
Yeah, I had five or so files loaded up....

Perhaps I need a more 'random' selection for files. Picking files from the same source might be causing this added... headache? lol.
 

johnlgalt

Antidisestablishmentarian
I was just about to suggest that as well. A good way to do it would be to make your own files as well for reference....
 

9to5cynic

Android Expert
Thread starter
Cool, I'll look into that. I'm always down for 'free' things ;)

I hope those quotes don't make this look suspicious ... lol
 

alostpacket

Over Macho Grande?
Use a knife with a serrated edge and simmer in olive oil for ten minutes prior to carving, then just a dash of thyme and serve. Goes best with white wine rather than red.
 
Top