carves¶
Forensic Carves.
Platform support¶
Please be aware that some queries can only be run against certain platforms. Below is a list of the supported platforms that this query supports. Zercurity will automatically pause queries from running if errors are detected. Running a query against an unsupported platform will result in the following error: no such table: carves
- Windows
- Linux
- Mac OSX
- Free BSD
Table schema¶
Name | Type | Description |
---|---|---|
time | BIGINT | Time at which the carve was kicked off |
sha256 | TEXT | A SHA256 sum of the carved archive |
size | INTEGER | Size of the carved archive |
path | TEXT | The path of the requested carve |
status | TEXT | Status of the carve, can be STARTING, PENDING, SUCCESS, or FAILED |
carve_guid | TEXT | Identifying value of the carve session |
carve | INTEGER | Set this value to ‘1’ to start a file carve |
Query examples¶
select * from carves where status like '%FAIL%'
select * from carves where path like '/Users/%/Downloads/%' and carve=1