SANS Digital Forensics and Incident Response Blog

PTK's new data carving feature

This new feature, available for the Appliance version, will be automatically integrated with the numerous features PTK has already. Through this section, every investigator will be able to run the data carving process on any image imported and analyze results inside the file analysis section. In order to implement the data carving, PTK uses the technique called 'zero storage'. This modality enables to run the data carving process without having to allocate the physical space on the disk; saving instead, for every recognized file, its own reference inside the disk (start sector and offset). Thus the investigator doesn't have to worry if he has free space on the hard disk; he can choose to export, at the end of the process, only those files which are of major interest.

In order to render the process faster, there are headers and footers of the most common files (for example jpg, gif, doc, pdf, etc.) divided by category in order to facilitate the user during his choice.

In case an investigator has to identify particular file types an insertion form in which it is possible to define the new file types is provided.