LibCarvPath and CarvFS
The two programs LibCarvPath and CarvFS implement the concept of in-place carving. Both were developed under the Open Computer Forensics Architecture framework.
CarvFS implements a virtual file system on top of FUSE, the Userland File System. FUSE handles all the communication with the operating system kernel. However FUSE is available only for the 2.4.x and 2.6.x series of Linux kernels.
One can create files as usual in a virtual file system driven by CarvFS. At this the file name describes the block of data to be carved from an image. For example CarvFS/16384:128303104.crv means a block starting at offset 16384 and running for 128303104 bytes. Within this block one could address other blocks in the same manner. In addition a block might consist of several fragments, delimited by an underscore. Such a complex name may look like CarvFS/16384:128303104/8192:1024_12228_1024.crv.
The CarvFS project has also developed some patches to add in-place carving to The Sleuth Kit (TSK).
Another prerequisite for the compilation of LibCarvPath and CarvFS is the installation of libewf, a program library which provides access to disk images in EnCase and SMART format.
Comments
It may be interesting to note that the newest release of carvfs comes with a script (scalpelcp) that takes the output of the new 1.60 scalpel version run in preview mode ( -p ), and populates the output directory with symbolic links to zero-storage carvfs pseudo files.
Posted by: ocfa | December 29, 2006 01:07 PM