| Author | Message | ||
     Craig Ball Username: craigball Registered: 4-2006 |
I'm trying to perfect the process of carving contiguous EnCase-format image file segments from free space. Analyzing the data, I'm pretty confident about the header (0x455646090D0A0FF00) and the footer for all segments except the concluding segment (0x6E657874000000000000000000000000) and for the concluding segment (0x646F6E65000000000000000000000000). I've figured out how to determine the segment number, traverse the section offsets and locate the embedded hash values. The problem is that, for every segment, you must also carve the succeeding 75 bytes of data beyond the first byte of the footer string. Does anyone know how to frame the footer statement in the file type definitions spreadsheet to accomplish this (that is, locate start of footer and carve additional 75 bytes) or, preferably, introduce a value governing the footer string that sets an offset from the end of the file? Offsets can be imposed for headers but apparently not for footers. And yes, I'm aware that fragmentation would make successful recovery of Encase images challenging in many cases. I have a drive where they are not fragmented. Thanks. | ||
| Stefan Fleischmann Username: admin Registered: 1-2001 |
> The problem is that, for every segment, you must also > carve the succeeding 75 bytes of data beyond the first > byte of the footer string. The wildcard character that matches any (unpredictable) byte value in GREP notation is . (i.e. a period). If you want to match 60 more bytes after 646F6E65000000000000000000000000 and include them in the carved file, then append .{60,60} to your footer signature. |