Autopsy User Documentation  4.9.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
PhotoRec Carver Module

What Does It Do

The PhotoRec Carver module carves files from unallocated space in the data source and sends the files found through the ingest processing chain.

This can help a reviewer discover more information about files that used to be on the device and were subsequently deleted. These are simply extra files that were found in "empty" portions of the device storage.

Configuration

There is nothing to configure for this module.

Using the Module

Select the checkbox in the Ingest Modules settings screen to enable the PhotoRec Carver. Ensure that "Process Unallocated Space" is selected.

Ingest Settings

The run-time setting for this module allows you to choose whether to keep corrupted files.

photo_rec_settings.png

Also note that the "Run ingest modules on" selection needs to include unallocated space for this module to run.

Seeing Results

The results of carving show up on the tree under the appropriate data source with the heading "$CarvedFiles".

photorec_output.PNG

Applicable types also show up in the "Views", "File Types" portion of the the tree, depending upon the file type.

Custom File Signatures

To add custom file signatures, create a file (if it does not exist) photorec.sig in the user home directory (for example - /home/john/photorec.sig, or C:\Users\john\photorec.sig). The photorec.sig file should contain one expression per line. For example, to detect a file foo.bar which has header signature - 0x4141414141414141, add an expression

    bar 0 0x4141414141414141

in photorec.sig where bar is the file extension, 0 is the signature offset, and 0x4141414141414141 is the signature. Add another expression on a new line to detect another custom file based on its signature.


Copyright © 2012-2018 Basis Technology. Generated on Tue Dec 18 2018
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.