Ancillary – File Carving Tool

digital-fingerprint.png

  1. Abstract
  2. Basic manual
  3. Screenshots
  4. List of headers and tails
  5. Bibliography
  6. License
  7. Feedback
  8. Downloads

Note: See the new version of Ancillary.

1. Abstract

Ancillary was born as a personal tool used to solve forensic challenges. Eventually it was improving and I realized that people were asking me for the program. Seeing that it was a useful tool, I decided to share it with the community and finally I decided to publish it.

The program only process uncompressed files. If you suspect that the file is compressed or encrypted first solve this trouble and then process with Ancillary.

2. Basic manual

There are two modes for process files, automatic and manual.

In AUTO mode we only have to load the file to process and select «smart recovery» or «I’m hungry». The smart recovery option loses less time processing the file because it associates the headers and tails automatically. The «I’m hungry» option retrieves all the possible files combining all headers with all tails. This latter mode recovers some trash or unreadable files.

In MANUAL mode, the program retrieves all the headers and tails that found in the file and collets the offsets in two lists that we can combine as we like even deleting and adding offsets.

AUTO mode example

Open or drag and drop the file to process.

auto01

Analize the file.

auto02

Select the type of file to recover.

auto03

Select one option.

auto04

Push «Carving current file» button and wait finalize the process.

auto05

Finally show the recovered files at output folder clicking the indicated button.

auto06

MANUAL mode example

Open or drag and drop the file to process and change to manual mode.

manual01

Select the type of file what you want to recover and push «Carving current file».

manual03

Select the header and the tail and push «View selected offsets resultant file». The resultant file should be opened.

manual04

3. Screenshots

filemenu

optionsmenu

helpmenu

automode

manual mode

manualmode_contextmenu

log_preview

4. List of headers and tails

Ancillary at present works with 15 type of files like JPG, PNG, GIF, BMP, RAR, ZIP, DOCX, RTF, PDF, ODS, ODT, ODB, ODG, ODF and ODP.

  • JPEG
    • Header: FFD8
    • Tail: FFD9
  • GIF87a
    • Header: 47 49 46 38 37 61
    • Tail: 00 3B
  • GIF89a
    • Header: 47 49 46 38 39 61
    • Tail: 00 3B
  • BMP
    • Header: 42 4D
    • Tail: Don’t have
  • PNG
    • Header: 89 50 4E 47 0D 0A 1A 0A
    • Footer: 49 45 4E 44 AE 42 60 82
  • DOCX
    • Header 50 4B 03 04 14 00 06 00
    • Tail: 50 4B 05 06 (PK..) followed by 18 additional bytes at the end of the file.
  • PDF
    • Header: 25 50 44 46 PDF
    • Tails: 0A 25 25 45 4F 46 (.%%EOF) or 0A 25 25 45 4F 46 0A (.%%EOF.) or 0D 0A 25 25 45 4F 46 0D 0A (..%%EOF..) or 0D 25 25 45 4F 46 0D (.%%EOF.)
  • ZIP
    • Header: 50 4B 03 04
    • Tail: 50 4B 05 06 (PK..) followed by 18 additional bytes at the end of the file.
  • RAR
    • Header: 52 61 72 21 1A 07 00
    • Tail: C4 3D 7B 00 40 07 00
  • RTF
    • Header: 7B 5C 72 74 66 31
    • Tail: 5C 70 61 72 20 7D
  • ODS
    • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 73 70 72 65 (spre)
    • Tail: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.
  • ODT
    • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 74 65 78 64 (text)
    • Tail: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.
  • ODB
    • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 62 61 73 65 (base)
    • Tail: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.
  • ODG
    • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 67 72 61 70 (grap)
    • Tail: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.
  • ODF
    • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 66 6F 72 6D (form)
    • Tail: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.
  • ODP
    • Header: 50 4B 03 04 14 (PK..) jump +73 (0x49) bytes and 70 72 65 73 (pres)
    • Tail: 6D 61 6E 69 66 65 73 74 2E 78 6D 6C 50 4B 05 06 (manifest.xmlPK) followed by 18 additional bytes.

5. Bibliography

[1] http://forensicswiki.org

[2] http://www.garykessler.net/library/file_sigs.html

6. License

At the moment the license is FREEWARE but in the future will be FREE SOFTWARE.

ANCILLARY IS PROVIDED «AS IS», WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

7. Feedback

If you have any question, doubt or suggestion, please mail me to deurus at deurus dot info or deurus82 at gmail dot com.

8. Downloads

This tool is FREE of spyware, viruses, adware and others

virustotal

List of file signatures for file carving
File carving is the process of reassembling computer files from fragments in the absence of filesystem metadata. Wikipedia. "File carving", literalmente tallado
Reto forense de HackThis!!
Intro We require your services once again. An employee from our company had recently been identified as a known criminal
Reto forense "Find the cat" de Root-Me.org
Intro President’s cat was kidnapped by separatists. A suspect carrying a USB key has been arrested. Berthier, once again, up