Friday, October 2, 2015

Forensics File Carving with Bless

In this post, similar to the foremost and scalpel posts, I have a small (64 MB) flash drive with a couple of files (shown below) which were created under Windows. The assumption is someone provided me this drive as a raw image to perform a forensic investigation to retrieve whatever files are on the disk.













For this post we will carve a file using "Bless". We will pick on the pdf file at offset "1530880" and a size of "88" bytes. As to where I get this offset from, let assume one of two things. Either this offset was provided to us by someone or through a tool such as foremost or scalpel which was previously used. In this case let's use the output from the foremost post. To ensure we understand the pdf header and trailer, we will use some information from "http://www.garykessler.net/library/file_sigs.html".




So let's load up Bless and go to offset "1530880"


Now that we have identified at offset "1530880" there is a "pdf" header, let's now try to find the trailer. From the information provided by "http://www.garykessler.net/library/file_sigs.html" we see there are multiple possible trailers but one thing that is constant is the "%%EOF". Let's do a "find" for the first one at its absolute location.



From the above, we see that "%%EOF" was found and ends at offset "1621603". Now that we have a starting offset "1530880" and an ending offset "1621603" let's try to carve our pdf file.
   
Lets use Bless's "Select range" menu option to obtain those bytes.
Our "Select range from" will be our starting point "1530880" and ends at "1621603".

from the image below we have highlighted all the bytes between "1530880" and "1621603"



Let's now use the same menu to select "copy." Once copied, we will create a new window and paste these bytes. Next step will be to save it as  "extractedPDF.pdf". 


Next use your favourite pdf reader to open the file. Below we see that we have successfully carved the "pdf" file from the image.



In the posts on foremost and scalpel, tools were used to carve data. In this post the process was manual independent of tools (well except for Bless). It is important that we understand how a tool should work when we are using it to perform a task.


References:
Bless

No comments:

Post a Comment