Week 5 - Anti-Forensics Technique-2

Lab 4 - Data Carving: Recovering an image from a Docx file

Scenario

You are given a corrupted Word document (File_carving.docx). The file cannot be opened normally.

Your task is to manually carve an embedded JPEG image from the file using: - A hex editor

• Command-line tools
• Automated carving tools

Problem Context

The file is corrupted (accidentally or intentionally). We suspect it contains an embedded image that must be extracted manually.

Key Question

How can we recover data from a file that cannot be opened normally?

JPEG Header and Trailer

• Header (Start of Image): FFD8FFE9
• Trailer (End of Image): FFD9

Task

Identify: - The offset address of the JPEG header - The offset address of the JPEG trailer

Step 1: Create Working Directory

mkdir carvingLab
cd carvingLab

Step 2: Download the File and place in the folder

• You can can either downlaod from here
• Or find it on Moodle

Step 3: Verify File

ls -l
md5sum File_carving.docx

Step2: Install Hex Editor (if needed)

apt-get install bless

Open File

bless File_carving.docx

Step3: Locate JPEG Header

Search for:

FFD8FFE9

Header found at:

0x0F5E

Carving must begin at the start of this offset.

Step4: Locate JPEG Trailer

Search for:

FFD9

Trailer found at:

0x15B93

Carving must end after this trailer.

Step5: Convert Offsets to Decimal

Step6: Select Hex Range (Bless) and Copy

1. Click Edit

2. Select Select Range

3. Enter:

   Start: 3934 End: 88979

Step7: Paste and Save

1. Open a new blank file in Bless
2. Paste the copied data
3. Save as:

CarvedImage.jpg

Step8: Verify the Carved Image

ls -l
display CarvedImage.jpg

Alternative Method: Using xxd

You may need to install xxd tool

xxd -p File_carving.docx | tr -d 'n' | grep -o 'ffd8ffe9.*ffd9' | xxd -r -p > CarvedCat.jpg

Verify:

file CarvedCat.jpg
display CarvedCat.jpg

Reflection Questions

1. Why is file carving necessary in digital forensics?
2. What happens if the header or trailer offset is incorrect?
3. Why does a Word file contain embedded headers?
4. When would automated carving tools fail?
5. How does file fragmentation affect carving?

Credit to: Xu, W., Deng, L. and Xu, D., 2022, June. Towards Designing Shared Digital Forensics Instructional Materials. In 2022 IEEE 46th Annual Computers, Software, and Applications Conference (COMPSAC) (pp. 117-122). IEEE.