This wiki is there to provide some basic documentation on everything CarvPath related.
In the computer forensics and incident response sub-fields of media analysis a rich combination of specialized tools is often used. Computer forensic investigators will often create an image of a physical medium using disk or memory imaging tools. These media-images are a one-on-one copy of all the data on the physical device at time of imaging. In some cases a raw image is used, using a tool like dd. Many forensic investigators prefer the usage of the industry standard ewf files instead, that contain some additional meta-data that may be usable later on in the investigation.
After the acquirement of media-images, the digital forensic investigator will use a wide variety of tools in the process of his/her investigation. Many of these tools will work on an require files as their input, and in order to acquire files from the image, these files are often 'coppied out' of the media-image using file system processing tools like the commercial encase, ftk, or the open source sleuthkit tools. Often, useful data will have been deleted from the filesystem, and an other type of tool, a carver like the open source photorec or scalpel will be needed to get at these files. The filesystem processing tool will need to copy-out the unallocated space, after what the carver will need to copy out (potential) files. Carvers are often notorious for the large amounth of false positives, and for the fact that many file types don't have a reliable 'footer' definitions, thus requiring the carver tool to copy-out way past file-end. Next to this, many files may be contained for example in iso images that reside on the filesystem, thus requiring yet an other round of copy-out. As a result of this multy-level copy-out is that computer forensics lab disk space requirements will using all these tools be many times the size of the acquired data. Given that most computer forensic investigations involve tens to hundreds of disk images of hundreds to thousands of gigabytes each, these disk space requirements may become truly expensive, and/or may prohibit a computer forensics unit or company to have to limit the number of cases it can run concurrently.
As an offspin of the Open computer forensics architecture, the dutch national police created a solution for working with large bodies of media-image data using a concept called zero storage carving of in-line carving.
The usage of CarvPath annotations provides the basis for zero storage carving and zero storage filesystem analysis tools. There are two core components to the usage of CarvPath, a library LibCarvPath and a user space filesystem CarvFs. LibCarvPath is a portable library for the parsing, creation and manipulation of CarvPath annotations. This library could be used by computer forensic tools like the sleuthkit tools or the photorec carver to provide support for zero storage carving. The CarvFS filesystem is a userspace FUSE filesystem that runs Linux or *BSD, and translates CarvPath annotations into pseudo directories and pseudo files that can be used by any tool that takes normal files as its input.
- Getting and installing LibCarvpath
- Getting and installing CarvFs
- Getting and installing EWF support for CarvFs
Work in progress
Click on the following image to upload a new version of the PNG logo image for your project: