“Carving” out pictures from a Handset (FTK)


UPDATE 01/03/2007

If you have Encase you want to follow this link - Carving” out pictures from a Handset (Encase) for the following two reasons.

1. FTK (Versions 1.61a and 1.62.1) do not seem to be adding sub-case items correctly
2. Encase, after you set up and run the correct search parameters, will automatically bookmark the “carved images”.

End of Update---------------------------------------------------------

The first thing I want to clarify is the definition of “Carve” in this page. So you, or another investigator, manually review a handset using it’s internal operating system and determine the picture you need is no longer on the handset. Sometimes images might not be accessible to the user but there might be images still residing in the logical memory of the handset.

I know what you are thinking: Open up a Case in FTK and automatically CARVE for images in the phone files. In my experience this answer is half right. I have not had much luck with FTK’S internal carving feature with logical phone files (This is not a rip on FTK it is just my experience. FTK is one of my favorite programs).

First you have to obtain a dump of the handset’s content.

If you used BITPIM (Root.zip) then you are ready to start ENCASE

If you used PARABEN DEVICE SEIZURE then use Paraben's Report Feature. And choose to create a HTML Report and include all items from the case. Paraben's report will save the files needed for the HTML Report in a folder called .Html Files. Take all the files in Html Files folder and add them to a ZIP file. For consistency we will also call this new ZIP Folder Root.zip. Goto ENCASE

Start a New Case in FTK

Go to the graphics Tab and take a hex view of your images. Choose the images that look like they were taken by a camera. Get the header of your images. In our example the header is FF D8 FF E0.




Open the Search Tab>Live Search and do a hex search using FF D8 FF E0. In results you should see the image file you could see using the handset (a nice test to make sure your search syntax was correct).

Look at your other search hits. Do you see some possible targets? I'm the following example I have an image header in MMS>62 File:



TRY NOT SKIP THE NEXT STEP:

Put your cursor over the image’s original file name and copy it to the clipboard. In our example it would be “Photo_#58.jpg”



Now put your cursor before the first character of your header and Right-click and Hold>Scroll to the bottom of the file and release. This could take some time if the image files are large. Once your header, and rest of the file is highlighted, Right-click on any of highlighted part and a menu should come up allowing you to "Save selection ..."“Add Sub Item”. Choose “Add a Sub Item” and paste the name you copied to the clipboard in the name (If you didn’t skip that step!). Look at your new sub-items in graphics view saved images. You’ve just “carved” an image from you handset files.



See also- Carving” out pictures from a Handset (Encase)