|
1 | 1 | # Reconstructed File Example |
2 | 2 |
|
3 | 3 | This example shows how we can use the mechanisms described by [*file*](../file/) and |
4 | | -[*multipart_file*](../multipart_file/) to define how a file was reconstructed by |
| 4 | +[*multipart_file*](../multipart_file/) to define how a file was reconstructed and/or repaired by |
5 | 5 | data carving software. |
6 | 6 |
|
| 7 | +The `investigativeaction1` objects in both the `reconstructed_file` and `repaired_file` examples |
| 8 | +describe how the carving tool was run in order to create the provenance records that describe the |
| 9 | +resulting objects created by the tool. The `investigativeaction2` objects describe how the carving |
| 10 | +tool combines the carved content to produce the recovered/repaired file. |
7 | 11 |
|
8 | | -The provenance record `provenance_record-a04bc3f3-3b3a-4098-b2bc-e636ba1bde75` object points |
9 | | -to the reconstructed file itself (`reconstructed_file-de78a25a-542f-436a-b8d2-ffc90bd30cdf`) and |
10 | | -the relationships that connect the data fragments to the created file. |
| 12 | +In both examples, the `provenancerecord1` objects point to the reconstructed/repaired file itself |
| 13 | +and the relationships that connect the data fragments to the created file. |
11 | 14 |
|
12 | | -The provenance record `provenance_record-0482e464-4a81-4810-ba35-e61cfd8b7044` object points to the two carved fragments; `data_piece-07e7e719-3904-4787-96ab-eb21a4b84074` and `data_piece-06a91826-f209-4b11-abad-461d09ab3898` respectively, along with the relationships `relationship-30c49e48-8136-4a93-aba9-b2106ec2132f` and `relationship-8e6f02f2-7ec3-4999-a74c-eb9a9e309231` which describe where the data pieces where extracted from within the `android_image-e35985c1-06d6-4ace-8e05-491d7ebefbdb`. |
| 15 | +The `provenancerecord2` objects points to the carved fragments along with the relationships that describe where |
| 16 | +data pieces where extracted from within the [NIST File Carving image files](https://www.nist.gov/itl/ssd/software-quality-group/computer-forensics-tool-testing-program-cftt/cftt-technical-0). |
13 | 17 |
|
14 | | -The provenance record `provenance_record-9dc4b979-5d56-4d47-a4da-541039a1a200` object points to the JPG file header (`data_piece-d3d3dbdd-c294-414b-a3fb-70b95a16a5f0`) that was added by the carving tool in order to reconstruct a working file. |
| 18 | +In the `repaired_file` example, the `provenancerecord3` object points to the JPG file header (`data_piece0`) that was added |
| 19 | +by the carving tool in order to repair and render visible the carved fragment. |
15 | 20 |
|
| 21 | +### Reconstructed File |
| 22 | + |
| 23 | +The reconstructed file can be extracted using dd as follows: |
| 24 | + |
| 25 | +``` |
| 26 | +% dd if=graphic-disorder_1305121235.dd bs=512 skip=194527 count=635 > reconstructed_file.jpg |
| 27 | +% dd if=graphic-disorder_1305121235.dd bs=512 skip=197069 count=635 >> reconstructed_file.jpg |
| 28 | +% dd if=graphic-disorder_1305121235.dd bs=1 skip=99923456 count=975001 >> reconstructed_file.jpg |
| 29 | +% shasum -a 256 reconstructed_file |
| 30 | +ee8b9c17c44e128e9e95d60fe219e95feae53c463b01016a312f8c5b732f21de reconstructed_file.jpg |
| 31 | +``` |
0 commit comments