|
The purpose of the 2006 Digital Forensics Research Workshop File Carving
Forensic Challenge was to recover files from raw file system data. All file
system information had been removed from the data file and all that was left
were the file data itself. To solve the challenge we developed FragMend, a GUI
tool that classifies sectors of the raw data and allows an investigator to group
them together interactively into files. Files can then be tested to a certain
degree within the GUI. Using FragMend and a small number of supporting scripts,
we were able to recover 32 files from the raw challenge data: 3 text files, 6
HTML files, 3 PK Zip files, 14 JPG files, and 6 Office documents (5 Word and 1
Excel). No sectors with well-known file headers remained in the list of
remaining unallocated sectors. FragMend is open-source, licensed under the BSD
Open Source License and is available for download at Sourceforge
|