Forensic Carves.

Platform support

Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: carves

  • Windows
  • Linux
  • Mac OSX
  • Free BSD

Table schema

Name Type Description
time BIGINT Time at which the carve was kicked off
sha256 TEXT A SHA256 sum of the carved archive
size INTEGER Size of the carved archive
path TEXT The path of the requested carve
status TEXT Status of the carve, can be STARTING, PENDING, SUCCESS, or FAILED
carve_guid TEXT Identifying value of the carve session
carve INTEGER Set this value to ‘1’ to start a file carve

Query examples

select * from carves where status like '%FAIL%'
select * from carves where path like '/Users/%/Downloads/%' and carve=1