Category "Carving"

CarvFS is a user space file system on top of LibCarvPath and FUSE that makes arbitrary parts of a file system accessible as files. Its main intended use is zero-storage or in-place file carving. I'm frequently using this tool to dissect large structured files and file system images. CarvFS compiles out of the box on Linux; installation on a Mac required a couple of tweaks and patches to sources and CMake files. With the kind help of Rob from the KLPD I eventually succeeded. I'm releasing my set of patches in the hope that it will help others.

"Chopstick" published two articles about CarvFS in his blog Chirashi Security.

Golden G. Richard III, Vassil Roussev and Lodovico Marziale describe a file carver that is able to work on local and remote drives. They presented their paper In-Place File Carving at the 3rd annual IFIP WG 11.9 International Conference.

The two programs LibCarvPath and CarvFS implement the concept of in-place carving. Both were developed under the Open Computer Forensics Architecture framework.

Golden Richard released version 1.60 of his file carver Scalpel. This version for the first time supports the concept of in-place carving.

Carving is a common technique to recover deleted files. It usually requires a lot of disk space. Now an inproved technique, called in-place, in-line or zero space carving, is going to change that - and it also noticeable speeds up processing.

On Feb. 13th Scalpel v1.54 and Foremost v.1.1 were released to the public. Both are file carvers, so why not let them compete against each other?

Tcpxtract is a carver for network traffic, which means it extracts files out of captured data. In order to determine start and end positions of a file it searches for certain byte sequences. This procedure was inspired by foremost, a carver for filesystem data.