Autopsy User Documentation
4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
The PhotoRec Carver module carves files from unallocated space in the data source and sends the files found through the ingest processing chain.
This can help a reviewer discover more information about files that used to be on the device and were subsequently deleted. These are simply extra files that were found in "empty" portions of the device storage.
There is nothing to configure for this module.
Select the checkbox in the Ingest Modules settings screen to enable the PhotoRec Carver. Ensure that "Process Unallocated Space" is selected.
There are no run-time settings for this module, but the global setting to "Process Unallocated Space" needs to be selected to make this work.
The results of carving show up on the tree under the appropriate data source with the heading "$CarvedFiles".
Applicable types also show up in the "Views", "File Types" portion of the the tree, depending upon the file type.
To add custom file signatures, create a file (if it does not exist) photorec.sig in the user home directory (for example - /home/john/photorec.sig, or C:\Users\john\photorec.sig). The photorec.sig file should contain one expression per line. For example, to detect a file foo.bar which has header signature - 0x4141414141414141, add an expression
bar 0 0x4141414141414141
in photorec.sig where bar is the file extension, 0 is the signature offset, and 0x4141414141414141 is the signature. Add another expression on a new line to detect another custom file based on its signature.
Copyright © 2012-2016 Basis Technology. Generated on Tue Oct 25 2016
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.