Share and earn Cybytes
Facebook Twitter LinkedIn Email

File carving is a technique that’s been around a while and traditionally has uses in data recovery and forensics. The origin traces back to the idea that nothing deleted on a computer is truly gone, until or unless that memory has been written over or wiped.

Conventional definitions of file carving often refer to this as memory reallocation. What this means is even if you delete a file on your computer, file carving can be used to reconstruct that file, until that memory is reallocated to saving other data.

Technopedia puts it this way:

“Part of the success of file carving relies on the idea that files that are deleted from a computer or device are not really completely lost until their memory locations are deleted during a device wipe or other fundamental sweeping away of residual data. In many cases, file carving can be part of data forensics, where law-enforcement professionals or other specialized experts can reconstruct files, even after something like a disk formatting, or when the user has effectively deleted the files from a drive. Since many of the fragments of the file may still rest in unallocated memory, they can theoretically be reconstructed.”

File Carving in Network Security

What does file carving mean to network security?

Modern standalone intrusion detection systems (IDS) “carve” files in essentially the same way. The difference is that the IDS sensor monitors the connection between the client and server and uses the data from the higher-level file transfer protocol (like HTTP or FTP) to reconstruct the file.

It’s important to note that IDS isn’t blocking the traffic as an intrusion prevention system (IPS) might. Instead, the detection mode allows those files to continue to the receiver and forwards the reconstructed file to an appropriate engine for analysis.

If the carved files contain characteristics of malware, the file will be “convicted” as malware triggering security alerts in order to mitigate the threat. Since the malware conviction engine is embedded in the IDS sensor, the entire process happens in fractions of a second. Typically, this is referred to as network speed or “line speed.”

This speed is important to the business, as there is always a balance between detection efficacy and performance.  Not only do incident responders want as much notice as possible regarding potentially hazardous payloads entering the environment, but only detection techniques that can occur in milliseconds can be considered for real-time blocking.

To read the entire blog, please click here.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Bricata
Bricata is a cybersecurity solutions provider that combines a powerful network threat hunting platform into a comprehensive threat detection and prevention solution to help determine the true scope and severity threats. Bricata simplifies network threat hunting by identifying hidden threats using specifically designed hunting workflows that use detailed metadata provided clearly and eases your transition from the known to unknown malicious activities in conjunction with an advanced threat detection and prevention platform which detects zero-day malware conviction.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?