Manual Filecarving 2

1. Introduction

There are various types of digital files from Microsoft Word’s .docx files to executable programs and images. File extensions help identify a file but they are not always reliable as they can easily be manipulated. Standardized file types have unique signatures used by the operating system to identify, classify and display them to the user. The signatures can be identified in hex or ASCII format either as headers or footers indicating the start and end of a file. File types without footers might have a maximum file size specified. More information about different file signatures can be found in this table by Gary Kessler.

Header-footer or header-“maximum file size” carving—Recover files based on known headers and footers or maximum file size

• JPEG—”xFFxD8″ header and “xFFxD9” footer

• GIF—”x47x49x46x38x37x61″ header and “x00x3B” footer

• PST—”!BDN” header and no footer

• If the file format has no footer, a maximum file size is used in the carving program

HxD Editor download (Freeware):

Downloads | mh-nexus

HxD Hexeditor

Image for Filecarving:

JPEG: Deleted, no thumbnails, not overwritten, unfragmented in full unallocated space.

14KB

Carve2.bin

2. Analysis

First we open the file carv2.bin with HxD Editor and search for the jpg header FFD8FF

We find it at offset 13B6. In this second example we see that it is embedded in other data (other deleted or allocated files), this is more typical of what we might see.

Start Offset is 13B6

After locating the jpg header we copy the offset and search for the jpg footer that starts with FFD9

End Offset is 2360

We can now mark the whole block, copy the content and paste it in a new file:

Save the file as extracted2.jpg and have a look for the result: