File Carving in a FAT 32 File system
Data Carving in a FAT 32- file system
For this bit of work, the following source was used:
So, we have been presented with a file which appears contain an unallocated JPEG image. We open the file in a hex editor, to see what just looks like random hex and text.
However, we know image files have headers and by searching for the header, we can find the start of the file. The header we are searching for is FFD8FFE0.
Notice how this corresponds with the text JFIF, which is a known header for images?]
Now we just need to look for the end of the file.
The end of the file marker is FFD9, so we search for this:
So we highlight from the start to the finish:
And then we past it in an hex editor. Once that is done, we save it as a new file. Opening the file shows us…
But what about fragmented files?
We tried an image, but we found the following: 
Clearly, we are missing part of the image
But we highlighted from start to finish? This doesn’t matter, as it’s fragmented
So, searching for different file extensions, we see:
There is part of an xml file in this file. This shouldn’t be in the JPEG data.
So we go back to our header, which coincidentally is at 0x2000
This is 8192 bytes
Or…
16 sectors of 512 bytes (fat uses 512 byte sectors).
Moving to 0x4000, we find some data :
But we did not find any at 3 or 5k
This suggests the cluster sizes are 1k each, as 2-3 contains data, but 3-4 doesn’t
So in theory- we copy from 2-3k, which is the first section of our data
Then from 4k until the marker for the end of file
We can see the marker at 4420, meaning the hex below is not relevant to our jpeg.
Now, we merge these tofether in a hex editor
We should see…
Comments
Post a Comment