Carve

From truxwiki.com
Jump to navigation Jump to search
Details
Executable Carve.exe
Stage 4
Percent Complete 48%
Message Queue carve

This is Truxton's file carver. Any supported file type is searched for in either unallocated space from a drive or file types that are unknown.

By default, the carver attempts to identify files on 512 byte sector boundaries but for high value files just as JPGs, it will search every byte in the sector.

Description

Like any other ETL, file carving is a multi-process and multi-machine endeavor. By default, Truxton will break the space to be carved into 10MB chunks and put these chunks onto Carve's queue. This allows the space to be carved in parallel by several machines. You can change the size of the chunk with the cws option.

Algorithm

Truxton's carving algorithm is this:

  1. Scan the chunk for every type of file Truxton knows about
  2. Scanning is done on 512-byte boundaries unless otherwise specified
  3. When a file has been found, the length of the file is calculated based on the file's format
  4. The file's format is parsed to produce meta-data information (file name, dates, etc)
  5. The file meta data is added to the database
  6. File fragments are recorded for use in fragmented file carving