-
Notifications
You must be signed in to change notification settings - Fork 15
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #99 from casework/reconstructed_file_validation_fix
Reconstructed file validation fix
- Loading branch information
Showing
6 changed files
with
1,168 additions
and
878 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,15 +1,31 @@ | ||
| # Reconstructed File Example | ||
|
|
||
| This example shows how we can use the mechanisms described by [*file*](../file/) and | ||
| [*multipart_file*](../multipart_file/) to define how a file was reconstructed by | ||
| [*multipart_file*](../multipart_file/) to define how a file was reconstructed and/or repaired by | ||
| data carving software. | ||
|
|
||
| The `investigativeaction1` objects in both the `reconstructed_file` and `repaired_file` examples | ||
| describe how the carving tool was run in order to create the provenance records that describe the | ||
| resulting objects created by the tool. The `investigativeaction2` objects describe how the carving | ||
| tool combines the carved content to produce the recovered/repaired file. | ||
|
|
||
| The provenance record `provenance_record-a04bc3f3-3b3a-4098-b2bc-e636ba1bde75` object points | ||
| to the reconstructed file itself (`reconstructed_file-de78a25a-542f-436a-b8d2-ffc90bd30cdf`) and | ||
| the relationships that connect the data fragments to the created file. | ||
| In both examples, the `provenancerecord1` objects point to the reconstructed/repaired file itself | ||
| and the relationships that connect the data fragments to the created file. | ||
|
|
||
| The provenance record `provenance_record-0482e464-4a81-4810-ba35-e61cfd8b7044` object points to the two carved fragments; `data_piece-07e7e719-3904-4787-96ab-eb21a4b84074` and `data_piece-06a91826-f209-4b11-abad-461d09ab3898` respectively, along with the relationships `relationship-30c49e48-8136-4a93-aba9-b2106ec2132f` and `relationship-8e6f02f2-7ec3-4999-a74c-eb9a9e309231` which describe where the data pieces where extracted from within the `android_image-e35985c1-06d6-4ace-8e05-491d7ebefbdb`. | ||
| The `provenancerecord2` objects points to the carved fragments along with the relationships that describe where | ||
| data pieces where extracted from within the [NIST File Carving image files](https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt/cftt-technical-0). | ||
|
|
||
| The provenance record `provenance_record-9dc4b979-5d56-4d47-a4da-541039a1a200` object points to the JPG file header (`data_piece-d3d3dbdd-c294-414b-a3fb-70b95a16a5f0`) that was added by the carving tool in order to reconstruct a working file. | ||
| In the `repaired_file` example, the `provenancerecord3` object points to the JPG file header (`data_piece0`) that was added | ||
| by the carving tool in order to repair and render visible the carved fragment. | ||
|
|
||
| ### Reconstructed File | ||
|
|
||
| The reconstructed file can be extracted using dd as follows: | ||
|
|
||
| ``` | ||
| % dd if=graphic-disorder_1305121235.dd bs=512 skip=194527 count=635 > reconstructed_file.jpg | ||
| % dd if=graphic-disorder_1305121235.dd bs=512 skip=197069 count=635 >> reconstructed_file.jpg | ||
| % dd if=graphic-disorder_1305121235.dd bs=1 skip=99923456 count=975001 >> reconstructed_file.jpg | ||
| % shasum -a 256 reconstructed_file | ||
| ee8b9c17c44e128e9e95d60fe219e95feae53c463b01016a312f8c5b732f21de reconstructed_file.jpg | ||
| ``` |
Oops, something went wrong.