The first thing I want to clarify is the definition of “Carve” in this page. So you, or another investigator, manually review a handset using its internal operating system and determine the picture you need is no longer on the handset. Sometimes images might not be accessible to the user but there might be images still residing in the logical memory of the handset.
I know what you are thinking: Open up a Case in Encase and automatically CARVE for images in the phone files. In my experience this answer is half right. (We need to create a special search in Encase to be sure we can find all the images.)
Here’s my suggestion:
1. First you have to obtain a dump of the handset’s content.
If you used BITPIM (Root.zip) then you are ready to start ENCASE
If you used PARABEN DEVICE SEIZURE then use Paraben's Report Feature. And choose to create a HTML Report and include all items from the case. Paraben's report will save the files needed for the HTML Report in a folder called
2. Start a New Case in ENCASE.
Maneuver you way down to the Home>Entries and right click on Entries>Activate Single File
Right Click on Single Files>New (which opens up a common dialog box for you to find your Root.Zip file)
Open up Enscripts and choose File Mounter>File by Extension>Zip files. Your single Root.zip file is activated and the Root.Zip folder mounted. You can now walk through the file structure.
Different handsets use slightly different headers in their images. Sometime images are imbedded in files with long headers (containing valuable EXIF Data) but are overlooked by Forensic Programs that just look for predetermined headers and offsets.
3. Find a stored image. Choose one that looks like it was taken by the handset's camera.
Look at that image in hex and get the header information. Double check you header with a couple other images that appear to be taken with a camera. In our example the header is FF D8 FF E0 for image photo_004.jpg
4. Now open ENSCRIPTS again and Choose "Sweep Case".
a. Check the box for your case>Next
b. Find the Modules List and Check the box for "File Finder"
c. Double left click on File Finder. A File Finder Menu opens up and you might as well check all the options (BMP, JPG PNG, ...).But also click on the bar "Add Custom File Type" and add the following:
d. Description: Carved Image
e. Header: \xFF\xD8\xFF\xE0 (For our example- but use whatever you found in the header of your images)
f. Footer: Empty
g. Extension: .jpg
h. Check the following Boxes: "Bookmark as picture" and "GREP"
i. OK>OK>Finish
j. Open your BOOKMARKED folder and see how many new images you have found that you could not get find using the handset. You have now "Carved" some images from the handset.
Don't forget to SAVE ALL so you don't have to re-write the "Add Custom File Type" each time you only have to update the Header Hex Information.
No comments:
Post a Comment