autopsy-flatpak/docs/doxygen-user/photorec_carver.dox

/*! \page photorec_carver_page PhotoRec Carver Module

What Does It Do
========

The PhotoRec Carver module carves files from unallocated space in the data source and sends the files found through the ingest processing chain.

This can help a reviewer discover more information about files that used to be on the device and were subsequently deleted. These are simply extra files that were found in "empty" portions of the device storage.


Configuration
=======

There is nothing to configure for this module.


Using the Module
======
Select the checkbox in the Ingest Modules settings screen to enable the PhotoRec Carver. Ensure that "Process Unallocated Space" is selected.

Ingest Settings
------
The run-time setting for this module allows you to choose whether to keep corrupted files.

\image html photo_rec_settings.PNG

Also note that the "Run ingest modules on" selection needs to include unallocated space for this module to run.

Seeing Results
------
The results of carving show up on the tree under the appropriate data source with the heading "$CarvedFiles".

\image html photorec_output.PNG

Applicable types also show up in the "Views", "File Types" portion of the the tree, depending upon the file type.

Custom File Signatures
======
To add custom file signatures, create a file (if it does not exist) photorec.sig in the user home directory (for example - /home/john/photorec.sig, or C:\\Users\john\photorec.sig). The photorec.sig file should contain one expression per line.
For example, to detect a file foo.bar which has header signature - 0x4141414141414141, add an expression

	bar 0 0x4141414141414141
in photorec.sig where *bar* is the file extension, *0* is the signature offset, and *0x4141414141414141* is the signature.
Add another expression on a new line to detect another custom file based on its signature.
*/