Digital forensics is "the recovery and investigation of material found in digital data storage media such as hard disk drives, solid-state (SSD) drives, USB flash drives, DVDs, and so on".
The results listed here were produced during my stay at the "National Institute of Criminalistics and Criminology" (NICC).
I developed JPGcarve, a state-of-the-art tool to fully automatically recover fragmented JPEG photos from data dumps by the process of data carving. It includes advanced algorithms to quickly find the photo fragments and to puzzle them together. It excels both in recovery quality and execution speed.
I wrote about this technique in the article "JPGcarve: an Advanced Tool for Automated Recovery of Fragmented JPEG Files" which will be published in the journal "IEEE Transactions on Information Forensics and Security".
I developed MFTcarve, a state-of-the-art tool to fully automatically recover files from NTFS formatted (and possibly corrupted) data dumps. It excels in the ability to fully automatically handle corruption in the Master Boot Record (MBR) or GUID Partition Table (GPT), Boot Sector (BS) and the Master File Table (MFT).
I developed KNOWNcarve, a tool to locate fragmented copies of a given file inside a data dump. This tool can be used for elimination of known data to speed up the process of investigating a data dump. It can also be used as a post processing step after having run some other tool that doesn't have the ability to report the exact byte offsets of recovered files inside a data dump. KNOWNcarve can afterwards be run to obtain the exact byte offsets.
I developed DataDumpMap, a file format (file extension .ddmap) to describe the contents of a data dump. It is easily editable and readable. It can be used to describe the location (as byte and/or cluster offsets) of files and annotate files. It can also be used to annotate individual clusters of the data dump.
All tools listed here can output their carving results to the DataDumpMap format. JPGcarve can also use a DataDumpMap as input to skip for example already carved parts of a data dump.