A Combination of Advanced Carver and Intelligent Parser

Teru Yamazaki
Cyber Defense Institute, Inc.

Track 2

Data recovery based on carving technique has been widely used and a lot of tools including commercial products have the capability to do. The basics of carving technique rely on a file header and footer, then extract the blocks between these two boundaries. As you know it is difficult to recover deleted files correctly that were fragmented or partially overwritten.

To recover more data, this talk introduces scanner plugins of bulk_extractor for advanced carving. These plugins are designed to search and carve out a component of a file like a chunk, record, and node. Furthermore, bulk_extractor has a great ability to decompress stream data such as ZIP, gzip, RAR, and Xpress stream. Therefore, its approach can expect to recover more data and is appropriate for advanced carving.

In the second stage, it is required to handle a large amount of data properly. A simple parser which converts machine-readable data to human-readable information is not always the better approach for investigator because it generates too many records depends on an artifact. We will also introduce intelligent USN journal parser as an example. The parser thoroughly checks and aggregates USN records, it provides valuable information to investigators.

Teru Yamazaki
Teru Yamazaki is a Senior Analyst at Cyber Defense Institute, Inc. located in Japan. He has over 12 years experience in computer security and currently he works as a lead investigator for cyber security incident. He also has taught several classes in digital forensics for law enforcement and private sector and previously he worked as an localized EnCase instructor. His research interests include file system, OS artifact and timeline analysis. He holds GIAC Certified Forensic Analyst (GCFA) and EnCase Certified Examiner (EnCE) certification.