From the course: CompTIA CySA+ (CS0-002) Cert Prep: 6 Incident Response
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
File carving
From the course: CompTIA CySA+ (CS0-002) Cert Prep: 6 Incident Response
File carving
- [Instructor] As a security professional, you probably already know that deleting a file using operating system commands doesn't truly remove that file's data from your disk. It simply deletes the reference to the file, leaving the data in unallocated space. File carving techniques allow you to comb through the unallocated space of a disk image and recover files and other interesting data that might be present. File carving is a very useful forensic technique because it can pick up information that was stored on disk temporarily during a security incident. Let's take a look at a tool called Bulk Extractor. Bulk Extractor is a file-carving utility that is widely used among the security community. It can read disk images and capture interesting information for later analysis. I'm going to run Bulk Extractor with some arguments. First, I'm going to use the -o option to select an output directory. I'll call my output directory…
Contents
-
-
-
-
-
-
(Locked)
Conducting investigations5m 7s
-
(Locked)
Evidence types3m 51s
-
(Locked)
Introduction to forensics4m 6s
-
(Locked)
System and file forensics4m 17s
-
(Locked)
File carving3m 1s
-
(Locked)
Creating forensic images5m 36s
-
Digital forensics toolkit3m 13s
-
(Locked)
Operating system analysis6m 25s
-
Password forensics8m 9s
-
(Locked)
Network forensics4m 50s
-
(Locked)
Software forensics3m 32s
-
(Locked)
Mobile device forensics1m 32s
-
(Locked)
Embedded device forensics2m 50s
-
(Locked)
Chain of custody2m 13s
-
(Locked)
Ediscovery and evidence production3m 15s
-
(Locked)
-