carves

Forensic Carves.

Table schema

Name Type Description
time BIGINT Time at which the carve was kicked off
sha256 TEXT A SHA256 sum of the carved archive
size INTEGER Size of the carved archive
path TEXT The path of the requested carve
status TEXT Status of the carve, can be STARTING, PENDING, SUCCESS, or FAILED
carve_guid TEXT Identifying value of the carve session
carve INTEGER Set this value to ‘1’ to start a file carve

Query examples

select * from carves where status like '%FAIL%'
select * from carves where path like '/Users/%/Downloads/%' and carve=1