Forensic Data Carving Manual Methods | Investigator's Manual 2018

Manual Data Extraction Methods - Forensic Data Carving

Introduction

There are several factors at play when talking about the Digital Forensic practices. Primary steps involve Acquisition of data. 
Data acquisition is the key to solve any investigation because of any evidence it might contain which can prove or disprove 
the theory of the case. The next step is to extract the data from the acquired disk image. Anyone can extract and report the 
findings from the image using software tools, but there is a difference between simple extraction and forensic extraction.

The Digital Forensic Extraction goes far beyond just simple extraction. The question is why it matters, because every 
step that we do online leaves a footprint and after uncovering, these footprints can be used as an evidence in the court.
 In Forensics all evidence is looked upon with every possible perspective that might be critical to prove or disprove 
the case from the start and recover whatever relevant data that may be present. A Forensic investigator extracts and 
recover data from all of these locations in a computer:

• Analyze File System, Data Layer, Metadata Layer for system files and system logs
• Slack Space
• Unallocated Space
• In-Depth File System Analysis
• Carving files from raw images using file header

Scope

Forensic data extraction is beyond just simple data extraction and reporting. We need to look at all the possible 
factors in forensic data extraction that are essential to put a final conclusion to the case. This document aims to cross 
examine the Manual method of data extraction using FTK Imager. Below mentioned information explains the procedure and 
steps taken to extract and explore the sample data.

Summary

• In Forensics, Data extraction is the process where data is parsed and analyzed to retrieve relevant information from
  the suspect device that is needed to prove or disprove a case.
• Forensic Data Extraction technique should be utilized depending upon the difference in a vast variety of devices that
  are present today.
• FTK imager is used for the manual extraction process for the sample data.
• In this document, we are recovering the data using file extension which is called carving in Forensics.
• The document shows the detailed process of what to recover and how to recover the data from the acquired data
  image.
• A file with .PNG extension is set as an example to show the carving process in forensic data extraction with step by
  step process.
• The disk image that is acquired has NTFS file system.

Detailed Explanation

In simple words, Digital Forensics is the process of acquiring, preserving, analyzing and reporting the digital artifacts in
support of legal proceedings. First process of forensic is the acquisition of the data and after that one of the early steps
in data extraction is recovery of files that have been deleted from the disk. On a Drive, such reversal is promptly
achievable after the deletion. When a file is deleted from the system, the space that was taken by the file gets
de-allocated, which means that the system marks that location as available but as a matter of fact there is no actual
 destruction of file happens. The file remains in the system that can be recovered with the right process.

For example, we have a HDD that has been being used for some period, and has been formatted (e.g., by some
individual attempting to destroy evidence). The format command has the impact of creating a set of information
structures comparing to an empty filesystem. In this way, the normal file system interface, will show that there
are no files present in the disk. Nonetheless, the reality is that only the file system metadata has been overwritten
with information to show empty but all the data sectors still contain the files.

Data Carving

The process of restoring the artifacts is known as carving. More generally, data carving is the process of
reconstructing logical objects (such as files, database records, and other data structures) directly from 
a bulk data capture (such as a disk, or RAM image) without the use of metadata describing the location and layout
of the artifacts.File carving is most common and the oldest method that is used in data extraction. It is based on
two simple observations: 

First, every file has a header and a footer signature. This signature is present in the form of Hex value which is also
called magic number of a file. For example, .PNG file has a header signature: 89 50 4E 47, Similarly the footer
signature: 49 45 4E 44 AE 42 60 82.Second, most file system has sequential file layout for better performance.
This means that files are stored sequentially in the file system.With the help of these two observations we can
carve a file in just three steps:

1. Scan the data until the known header is found that we are looking for.
2. Scan the data until the known footer is found.
3. Copy the data in between the header and footer in the found offsets as the recovered artifact.

Data Carving can be split into two tasks - Data Extraction: identification of the chunks of content to be examined
(such as disk block, file content, unallocated block), and Artifact Reconstruction: reassembly of data that is
recovered to find the conclusive result. We may encounter four possible cases during file carving:

No Fragmentation

It is a typical case in which we recover complete content of the file in a sequential layout as modern file systems
take extra effort to ensure sequential layout for optimal throughput performance.

Figure 1: Contiguous file content

Nested Content

This case mostly occurs due to deletion. After the initial sequential back to back layouts of the file, the content
before and after file B is deleted and replaced by content of file A.

Figure 2: Nested file content

Bi-fragmented Files

These are the files that split in two contiguous parts with other content in between. If the content in between
is easily distinguished from the content of the file then  it becomes easy to recover the file that we are looking for.

Figure 3: Bi-fragmented file content

Interleaved Content

It is a more complicated version of nesting with nesting in multiple files and happens when larger files are used to
fill gaps created by the deletion of small ones.

Figure 4: Interleaved file content

Creating Sample Data

After understanding the background concept of the data extraction process via carving method, let’s move on to the
steps involved in the process. First, we have created a sample data to examine and recover a file that has been either
deleted or permanently deleted (according to the system information).

The files in a hard disk drive do not get deleted unless forensically wiped and overwritten with different information.
There are two methods of deleting a file in a computer:

• Simple Delete, which sends the deleted file to the recycle bin which can be recovered knowingly from
  where it went.
• Shift+Delete which prompts the system to delete the file permanently. But in fact, the system only updates the
  Master File Table to show the empty location after deletion, in reality, the file goes to the unallocated space
  which can be recovered by the method we are using in this document.

There are multiple files in the drive (Name-TestExtract, Capacity 1GB, No. of Files-22, File System-NTFS) from which
we are going to recover deleted and shift deleted files and carve a single file with known file extension using file
header and footer.

What to Recover?

• We need to consider the full possibility if the file is present or not if yes then it may be completely present
  in the root folder or it may be corrupted.
• There is also a possibility that the file has been deleted from the system if yes then where it is located and
  how much we can recover.
• A file with the name 1.PNG is being carved in this process.

How to Recover?

As files are created and deleted, a sequential pass through the raw data will see an interleaving of data blocks from
different files, both current and de-allocated.
This means that we will need to use the structure of the data content itself to establish the correct sequence of blocks.

• The extraction phase of carving begins with the know file tags
• Basic header and footer approach is used
• Look for the presence of header in the content and note down the starting offset of clusters
• Now, look for the footer in the content and note down the offset cluster number.
• Copy complete data in between the starting and ending offsets.
• Paste this data into hex editor and save the file to destination location.
• Match the hash value of the original file and the recovered file. If matched then it is a successful carving of the file.

Procedure

Note: Image acquisition is done via Linux live bootable CD using DD command. Manual data extraction procedure is
done using FTK Imager.

Data Acquisition and Verification Procedure

1. Create bit by bit image using DD command in live bootable Linux
2. Generate Hash value of the acquired image
3. Open FTK Imager for manual data extraction process.
4. Add Evidence Item i.e. Acquired Image

Figure 5: Adding Evidence Item

Figure 6: Selecting Evidence Type (In this case : Image File)

Figure 7: Entering Image Location

5. Export File Hash List to generate hash value for every file in the Image.

Figure 8: Export File Hash List

6. Manually Verify Drive/Image in FTK Imager which generates MD5 hash and SHA-1 hash value.Compare these values to the Hash value generated by DD command. If matched then Acquisition is valid, if not then acquisition is not properly performed

Figure 9: Generating Md5 and Sha-1 Hash Values

Figure 10: Matching Hash Values and Bad Sectors

7. If acquisition is perfect then traverse the data manually using FTK Imager. If the target file is not found then look for the file in the unallocated space and other sectors

Figure 11: Traversing the Data from the acquired Image

Data Carving Procedure

Sample File (1.PNG)

Figure 12: Sample File to be Carved

• Search for the Header of the file in the unallocated space and note down the offset number of the header found in the content

Figure 13: Searching File Header Signature in the Unallocated Space

Figure 14: File Header Found

• Search for the Footer of the file in the unallocated space and note down the offset number of the footer found in the content

Figure 15: Searching for the File Footer Signature in the same Unallocated Space

• Copy the data in between the offsets and create new file using Hex editor with the same file format

Figure 16: Copy Hex Data between the Header and Footer Offsets

Figure 17: Paste the copied data into Hex Editor

Figure 18: Save the file with the same file extension that needs to be carved

Figure 19: Output File

• Generate hash value of the file obtained from the data and compare to the original file. If match then data is carved perfectly

Figure 20: Comparing Hash Values for Verification

Test Cases & Observations

	Overwritten Data
	Aim	To determine if previously deleted files are recoverable after overwriting information in the disk drive
	Steps Applied	Step 1: Observe first file without overwriting any data. Step 2: Add new data to previous disk drive and see if it is overwriting the previous deleted file. Step 3: Again create the image of the disk drive with new data set. Step 4: Look for the file in unallocated space that has been deleted previously.
	Exhibits	File Header found in the unallocated space in between overwritten files.
	Observation	File not found completely, only fractions of the file.

	Multiple File Format Carving
	Aim	To determine if different file formats can be carved
	Steps Applied	Step 1: Take different file format for data carving (mp4,3gp,jpeg,pdf,bmp) Step 2: Look for file header and footer in the unallocated space and jot down the offset numbers of their positions if found. Step 3: Copy the data in between the offsets Step 4: Create and save a new file with copied data using hex editor with the same file format Step 5: Check to see if source and carved file are same.
	Observation	Files with extension 3gp, jpeg, bmp, pdf are carved perfectly and hash values are matched.  File with extension mp4 was not carved.

Conclusion

The Disk Drive acquisition is perfectly achieved during linux live boot by using “dd” command. Image is then successfully
added in the FTK Imager for further verification of image and data extraction procedure.

Manual extraction of data is successfully performed by using FTK Imager. The sample file was observed before and after
deletion by verifying from MD5 and SHA-1 hash values. The carved file contained complete information of the original
sample file after recovery. When performing different test cases, we observed that:

• File data could not be extracted completely when new data was overwritten to the drive.
• Partial information is obtained after data overwriting
• Different file extensions can be obtained from data carving process except some formats which do not have
  defined footer hex value (e.g: mp4, database files)
• Data carving process is able to recover data in all file systems (NTFS, FAT, FAT32, exFAT)
• Obtaining data can be difficult from data carving process if the files are dealt with in a different operating system