Attention
Zercurity has been acquired by JumpCloud.
This documentation will no longer be maintained or updated. You can read more about the acquisition, or signup to JumpCloud today.
carves¶
Forensic Carves.
Platform support¶
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: carves
- Windows
- Linux
- Mac OSX
- Free BSD
Table schema¶
Name | Type | Description |
---|---|---|
time | BIGINT | Time at which the carve was kicked off |
sha256 | TEXT | A SHA256 sum of the carved archive |
size | INTEGER | Size of the carved archive |
path | TEXT | The path of the requested carve |
status | TEXT | Status of the carve, can be STARTING, PENDING, SUCCESS, or FAILED |
carve_guid | TEXT | Identifying value of the carve session |
carve | INTEGER | Set this value to ‘1’ to start a file carve |
Query examples¶
select * from carves where status like '%FAIL%'
select * from carves where path like '/Users/%/Downloads/%' and carve=1