Raw Data Carving presented at ISSA 2015

by Kevin Ripa,

Summary : You have used all of the utilities in EnCase, FTK, and other programs to carve files from unallocated file space. Do you think you have found everything? If you answered yes, guess again. The only way that carving utilities is able to recover deleted data automatically (for the most part) is through file header and footer identification, and this recovers an intact file. In other words, a file has been deleted, but not yet overwritten by new data. What happens if part of the deleted file is now overwritten, but some of the old data still exists? What about file fragments from slack space?
This informative and easy to follow lecture will demonstrate to attendees how they can manually carve data from unallocated files space, and then what to do with it so that it is useful. We will also discuss data recognition. This means being able to not only see the search hit, but identify the context in which it is being seen. This alone has solved many cases in our lab!