I have never used Java, but data carving is fairly straight forward at a basic level.
For caring (of a DD file) you need to seek the image file to a cluster start (you will need to determine cluster size , normally 8 for NTFS, and first sector of a cluster, can be quite varied). The start then needs to be compared with your table (or similar) of file starts. FAT, Unix. HFS+ etc are all different
My approach in carving is not to look for file ends, but continue to the start of the next file. You need to be as careful as possible that you do not hit false positives.
My second stage, is to take the extracted file and verify it. This can include making sure that a .DOCX files is called .DOCX and not .ZIP, even though they have the same basic signature and structure.
All along in programing, forget decimal, and think in Hex. 99% of the time, it will make more sense.
Final part of data carving, very rarely done, is to handle fragmented files. To do this stage you need to the know 110% of the file structure!
↧