Autopsy User Documentation
4.8.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
|
The PhotoRec Carver module carves files from unallocated space in the data source and sends the files found through the ingest processing chain.
This can help a reviewer discover more information about files that used to be on the device and were subsequently deleted. These are simply extra files that were found in "empty" portions of the device storage.
There is nothing to configure for this module.
Select the checkbox in the Ingest Modules settings screen to enable the PhotoRec Carver. Ensure that "Process Unallocated Space" is selected.
The run-time setting for this module allows you to choose whether to keep corrupted files.
Also note that the "Run ingest modules on" selection needs to include unallocated space for this module to run.
The results of carving show up on the tree under the appropriate data source with the heading "$CarvedFiles".
Applicable types also show up in the "Views", "File Types" portion of the the tree, depending upon the file type.
To add custom file signatures, create a file (if it does not exist) photorec.sig in the user home directory (for example - /home/john/photorec.sig, or C:\Users\john\photorec.sig). The photorec.sig file should contain one expression per line. For example, to detect a file foo.bar which has header signature - 0x4141414141414141, add an expression
bar 0 0x4141414141414141
in photorec.sig where bar is the file extension, 0 is the signature offset, and 0x4141414141414141 is the signature. Add another expression on a new line to detect another custom file based on its signature.
Copyright © 2012-2018 Basis Technology. Generated on Thu Oct 4 2018
This work is licensed under a
Creative Commons Attribution-Share Alike 3.0 United States License.