Presentation is loading. Please wait.

Presentation is loading. Please wait.

FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device.

Published bySheila Elliott Modified over 5 years ago

Similar presentations

Presentation on theme: "FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device."— Presentation transcript:

1 FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device

2 IF the above data is in a .doc, .html, .txt THEN convert hex to ASCII
ASCII to Hex: A  41 B  42 C  43 D  44 42 IF the above data is in a .doc, .html, .txt THEN convert hex to ASCII IF .docx, .pdf THEN the content of the file has to be ‘mounted’ before being interpreted

3 “With the release of Office ‘07, Microsoft Word documents now use the same file format signature as a .ZIP file. If we were to view the entirety of the file with our HEX editor we would not uncover any legible ASCII characters. Why? The file structure and assembly instructions are contained within the file; thus, the file would need to be mounted by its native software in order for the contents to be viewed. Viewing and, more importantly, searching the contents of these “complex” files are possible once they are mounted. Forensic tools incorporate the software to mount these so that searching is possible”

4 4D The above code is the hex representation of a file Find out the file type (extension) (.txt,.doc,.zip,.html,.png,.jpg) What is the data stored in this file ?

5 HEX values represent pixel colors
.bmp file hex  color .png, jpg: same issue as .docx and .pdf File has to be mounted first, hex cannot be interpreted as colors

6

7 Go to the link above and follow the step by step instructions You will create a .bmp file by writing by writing hex code Step 1: and select new file Step 2: Paste the hex representation of the HEADER of a .bmp file Step 3: Choose a number of pixels that is divisible by 4: 4*4, 8*8, 16*16 Step 4: Create an image that looks like the image below

8 Take a Break This Photo by Unknown Author is licensed under CC BY-NC

9 Legal and ethical issues
Computer Forensics File Systems Forensics Network Forensics Mobile devices Forensics (Cyber)crimes The Dark Web Cybercriminals: Motivations and subcultures Legal and ethical issues Court admissibility Forensics and privacy rights Ethical issues in digital forensics IoT and Big Data Statistical analysis of data generated by IoT devices Machine learning and IoT data Research Paper Topics

10 Legal and ethical issues
Computer Forensics File Systems Forensics Network Forensics Mobile devices Forensics (Cyber)crimes The Dark Web Cybercriminals: Motivations and subcultures Legal and ethical issues Court admissibility Forensics and privacy rights Ethical issues in digital forensics Forensics Science Evidence preservation Writing forensics reports Anti forensics Research paper: 3000 words + Presentation References: At least three academic articles published in the last 5 years Reference: At least one theoretical chapter from a book or theoretical article explaining the concept you are investigating Research Paper Topics

11 Legal and ethical issues
Computer Forensics File Systems Forensics Network Forensics Mobile devices Forensics (Cyber)crimes The Dark Web Cybercriminals: Motivations and subcultures Legal and ethical issues Court admissibility Forensics and privacy rights Ethical issues in digital forensics Forensics Science Evidence preservation Writing forensics reports Anti forensics Choice of topic: Specific Relevant Achievable within four/five weeks Topic 1: The dark web Topic 2: The selling/buying/sharing of illegal material on the Dark Web Topic 3: The uses of Dark Web by law enforcement to gather digital evidence Topic 4: Anti forensics Topic 5: Methods of wiping data Which topics are specific and which topics are NOT specific ? Research Paper Topics

12 Legal and ethical issues
Computer Forensics File Systems Forensics Network Forensics Mobile devices Forensics (Cyber)crimes The Dark Web Cybercriminals: Motivations and subcultures Legal and ethical issues Court admissibility Forensics and privacy rights Ethical issues in digital forensics Forensics Science Evidence preservation Writing forensics reports Anti forensics Choice of topic: Specific Relevant Achievable within four/five weeks Write down 2 research topics that are NOT specific and one research topic that is specific Save your three topics to a file your list to LATER Research Paper Topics

13 Legal and ethical issues
Computer Forensics File Systems Forensics Network Forensics Mobile devices Forensics (Cyber)crimes The Dark Web Cybercriminals: Motivations and subcultures Legal and ethical issues Court admissibility Forensics and privacy rights Ethical issues in digital forensics Forensics Science Evidence preservation Writing forensics reports Anti forensics Choice of topic: Academic journals and Books

14 Legal and ethical issues
Computer Forensics File Systems Forensics Network Forensics Mobile devices Forensics (Cyber)crimes The Dark Web Cybercriminals: Motivations and subcultures Legal and ethical issues Court admissibility Forensics and privacy rights Ethical issues in digital forensics Forensics Science Evidence preservation Writing forensics reports Anti forensics “Timelining is a powerful tool for forensic analysis and contextual awareness. Many forensic tools can automatically structure files and data based on the time they were accessed, last changed, or deleted” (Arnes, 2018) Research Paper Topics

15 Legal and ethical issues
Conceptual Map Computer Forensics File Systems Forensics Network Forensics Mobile devices Forensics (Cyber)crimes The Dark Web Cybercriminals: Motivations and subcultures Legal and ethical issues Court admissibility Forensics and privacy rights Ethical issues in digital forensics Forensics Science Evidence preservation Writing forensics reports Anti forensics Create a conceptual map that summarizes the concepts related to file system forensics (Check the book, slides from class 8 and any other resources) Your map should include the following concepts: File carving, physical extraction, logical extraction, slack, partition table, file signature, file header, file mounting, RAM slack, drive slack, order of volatility Add to document, to Research Paper Topics

16 Purpose of examination Findings Conclusions
Writing Reports Case data Purpose of examination Findings Conclusions

17 Writing Reports “Case data, or similar in a criminal setting is simply information that describes the investigation that the examination is part of. Case data would include the name of the person that ordered the examination, some identifier information that identifies the evidence pieces that are subject to examination. Key point here is to maintain chain of custody or similar as well as being able to distinguish the examination from other examinations”

18 Writing Reports Examples of purpose of examination:
“The purpose of this examination was to identify if documents stolen during the break-in at samplestreet 41 was present on the computer. The suspect stated, in an interrogation, that the computer was hacked. Thus, the examination also included looking for evidence of remote control software, malicious software and evidence of intrusion” “The aim of the examination was to extract all pictures from the device”

19 Investigation of whether a suspect has used their laptop to visit a website where illegal services are advertised. (1) What is the case data, (2) Description of purpose of examination, (3) Findings and Conclusions.

20 C:\Windows\System32 \winevt\Logs\Security.evtx
Checking when a user logged

21 Check Browser’s History Check Cached Memory Check Cookies
Internet Forensics Check Browser’s History Check Cached Memory Check Cookies

22 Email Headers and the Limitations of IP addresses
Received: from SAM-MBX03.ead.ubc.ca ([ ]) by s-itsv-hub04p.ead.ubc.ca ([ ]) with mapi id ; Tue, 26 Jun :15: Content-Type: application/ms-tnef; name="winmail.dat" Content-Transfer-Encoding: binary Sometimes it is possible to find the ip address of the sender in the header, other times the ip address found is the ip address of the mail server.

23

24

Download ppt "FILE CARVING: Reassembling files from fragments of bytes/hex data on a digital device."

Similar presentations

To print your results, click on the printer icon. Choose from the printing options suggested. You can choose to remove items from folder after printing.

To print your results, click on the printer icon. Choose from the printing options suggested. You can choose to remove items from folder after printing.
CIS101 Introduction to Computing Week 05. Agenda Your questions CIS101 Survey Introduction to the Internet & HTML Online HTML Resources Using the HTML.

CIS101 Introduction to Computing Week 05. Agenda Your questions CIS101 Survey Introduction to the Internet & HTML Online HTML Resources Using the HTML.
CIS101 Introduction to Computing

CIS101 Introduction to Computing
Technology for Computer Forensics by Alicia Castro.

Technology for Computer Forensics by Alicia Castro.
Browser and E-mail Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.

Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.
Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.

Advance evidence collection and analysis of web browser activity by Junhoon Oh David Rivera 11/7/2013 Digital Forensics.
Capturing Computer Evidence Extracting Information.

Capturing Computer Evidence Extracting Information.
Creating a Web Page HTML, FrontPage, Word, Composer.

Creating a Web Page HTML, FrontPage, Word, Composer.
Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 E-mail Investigations.

Guide to Computer Forensics and Investigations Fourth Edition Chapter 12 Investigations.
Using LIRN® Guide Click here to continue. Click here to exit. Click here to go to the Table of Contents.

Using LIRN® Guide Click here to continue. Click here to exit. Click here to go to the Table of Contents.
Computer Concepts 2014 Chapter 7 The Web and E-mail.

Computer Concepts 2014 Chapter 7 The Web and .
Teaching Digital Forensics w/Virtuals By Amelia Phillips.

Teaching Digital Forensics w/Virtuals By Amelia Phillips.
XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.

XHTML Introductory1 Linking and Publishing Basic Web Pages Chapter 3.
Copyright © 2008 Pearson Prentice Hall. All rights reserved. 1 Exploring Microsoft Office Word 2007 Chapter 8 Word and the Internet Robert Grauer, Keith.

Copyright © 2008 Pearson Prentice Hall. All rights reserved. 1 Exploring Microsoft Office Word 2007 Chapter 8 Word and the Internet Robert Grauer, Keith.
Using Html Basics, Text and Links. Objectives  Develop a web page using HTML codes according to specifications and verify that it works prior to submitting.

Using Html Basics, Text and Links. Objectives  Develop a web page using HTML codes according to specifications and verify that it works prior to submitting.
Plan My Move & MilitaryINSTALLATIONS May, 2008 Relocation Personnel Roles and Responsibilities MC&FP.

Plan My Move & MilitaryINSTALLATIONS May, 2008 Relocation Personnel Roles and Responsibilities MC&FP.
Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.
Forensic and Investigative Accounting Chapter 14 Digital Forensics Analysis © 2011 CCH. All Rights Reserved. 4025 W. Peterson Ave. Chicago, IL 60646-6085.

Forensic and Investigative Accounting Chapter 14 Digital Forensics Analysis © 2011 CCH. All Rights Reserved W. Peterson Ave. Chicago, IL
The Internet Industry Week Four. RISE OF THE INTERNET THE INTERNET – a global system of interconnected private, public, academic, business, and government.

The Internet Industry Week Four. RISE OF THE INTERNET THE INTERNET – a global system of interconnected private, public, academic, business, and government.
Follow the Data Data (and information) move from place to place in computer systems and networks. As it moves it changes form frequently. This story describes.

Follow the Data Data (and information) move from place to place in computer systems and networks. As it moves it changes form frequently. This story describes.

Similar presentations

Ads by Google