Skip to content
Log in

Artefact carving

Definition

Extracting embedded content from raw data by locating known file signatures (magic bytes) at byte boundaries. In PCAP analysis, this means reassembling the application payload of a session and extracting any complete files whose headers and trailers appear in the stream.

Related terms

Beaconing
Periodic outbound connections from a compromised host to a command-and-control server, typically at regular intervals. The regularity of the interval, measured in...
Display filter
A Wireshark filter expression applied to an already-captured PCAP file to show only packets matching specified criteria. Display filters do not delete...
PCAP
Packet capture file. The standard format for storing captured network frames, originally defined by the libpcap library. Each record contains the raw...
Protocol dissector
A software component in a packet analyser that recognises a specific protocol and parses its header fields into named, readable values. Wireshark...
Stream reassembly
The process of collecting all the TCP segments belonging to a single connection and reordering them by sequence number to reconstruct the...

Explained in

  • Traffic Analysis and Protocol DissectionExtracting embedded content from raw data by locating known file signatures (magic bytes) at byte boundaries. In PCAP analysis, this means reassembling the app...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account