Follow

Question: What is the significance of the numbers in a carved file's name?

Created by: Shawn Jenkins
Created date:
Last Updated date:

Answer:
A carved file, by definition, is a file that is not recorded in the file system records but can
found within another data stream.  Carved files do not have names or metadata, so FTK assigns its own names.

FTK 2 and later:

FTK 2 and later assign names like "Carved[xxxxx].jpg".
The number within the brackets is the byte decimal offset count from the first byte of the parent file from which the file was carved.

Examples:
File name: Carved[12345].jpg
Path: Mantooth2.E01/Partition 1/MANTOOTH [NTFS]/[unallocated space]/006350>>Carved[12345].jpg
Interpretation: The carved file was found beginning at decimal byte offset 12345 within the unallocated chunk "006350".

File name: Carved[789].bmp
Path: Mantooth2.E01/Partition 1/MANTOOTH [NTFS]/[root]/Documents/MyFile.doc>>Carved[789].bmp
Interpretation: The carved file was found beginning at decimal byte offset 789 within "MyFile.doc".

FTK 1:

FTK 1 assigns names like "AAA_xxxxx[yyyyy].bmp".
AAA is the file type/extension.  xxxxx is the byte decimal offset count from the first byte of the parent file from which the file was carved. yyyyy is the parent file's item number.

Example:
File name: JPEG_12345[543].jpg
Path: Mantooth2\Part_1\MANTOOTH-NTFS\pagefile.sys>>JPEG_12345[543].jpg
Interpretation: The carved JPEG was found beginning at decimal byte offset 12345 within pagefile.sys (which is item #543).
Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk