DFRWS 2006 File Carving Challenge
Overview
This page summarizes the results of our efforts to solve the
Digital Forensic Research Workshop (DFRWS) 2006 File Carving
Challenge. In short, our team took 1st place (here's our press release).
Details regarding this challenge may be found here.
The Overview section of that page is repeated here:
Data carving is the process of extracting a collection of data from
a larger data set. Data carving techniques frequently occur during a
digital investigation when the unallocated file system space is analyzed
to extract files. The files are "carved" from the unallocated space using
file type-specific header and footer values. File system structures are
not used during the process.
The results of existing file carving tools typically contain many false
positives. An investigator must test each of the extracted files by
opening them in an application that supports the file type. The goal
of this challenge is to design and develop file carving algorithms that
identify more files and reduce the number of false positives.
We approached the challenge by treating it like a project. As such, we
created a CVS repository and used it to capture our work and to record
our collective thought process.
Methodology
The following diagram depicts the methodology we employed while working
on the challenge. This methodology did not fully crystallize for us until
we had a chance to look back and reflect what we were actually doing.
Releases
The following tar balls are available for download. Since we plan to
continue refining our tools and techniques with respect to file carving,
we may periodically cut new release tar balls and post them here.
Presentations
The following presentations are available for download:
|
