Scribd
Upload
44 views10 pages

Data Carving

File carving is a process used in computer forensics to extract data from a disk drive or other storage device without the assistance of the file system. It works by examining file headers and footers to reconstruct files from raw bytes. Common file carving techniques are header-footer carving, file structure carving, and content-based carving. Tools used for file carving include Scalpel, Foremost, jpegcarve, and others.

Uploaded by

aakash25mahajan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
44 views10 pages

Data Carving

File carving is a process used in computer forensics to extract data from a disk drive or other storage device without the assistance of the file system. It works by examining file headers and footers to reconstruct files from raw bytes. Common file carving techniques are header-footer carving, file structure carving, and content-based carving. Tools used for file carving include Scalpel, Foremost, jpegcarve, and others.

Uploaded by

aakash25mahajan
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 10

Data Carving

File Carving with a Hex Editor:

File carving can be conducted using only a Hex editor;


however, there are some tools that can aid examiners.

The following are some free tools for conducting file carving:

1. Foremost (http://foremost.sourceforge.net)
2. Scalpel (https://github.com/sleuthkit/scalpel)
3. Jpegcarver (www.seedstech.net/jpegcarver)
4. List of data recovery (including some file carving) tools
from forensics wiki
(www.forensicswiki.org/wiki/Tools:Data_Recovery)
Data Carving

Data carving, also known as file carving, is


the forensic technique of reassembling files from raw
data fragments when no filesystem metadata is available.

It is a common procedure when performing data recovery, after


a storage device failure, for instance. It may also be performed
on a core memory dump as part of a debugging procedure.
Data Carving

File carving is a process used in computer forensics to extract


data from a disk drive or other storage device without the
assistance of the file system that originality created the file.

It is a method that recovers files at unallocated space without


any file information and is used to recover data and execute a
digital forensic investigation.

It also called “carving,” which is a general term for extracting


structured data out of raw data, based on format specific
characteristics present in the structured data.
Data Carving

As a forensics technique that recovers files based merely on


file structure and content and without any matching file system
meta-data,

file carving is most often used to recover files from the


unallocated space in a drive. Unallocated space refers to the
area of the drive which no longer holds any file information as
indicated by the file system structures like the file table.

File carving is a great method for recovering files and


fragments of files when directory entries are corrupt or
missing.
Data Carving

In the case of damaged or missing file system structures, this


may involve the whole drive.

In simple words, many file systems do not zero-out the data


when they delete it.

Instead, they simply remove the knowledge of where it is.

File carving is the process of reconstructing files by scanning


the raw bytes of the disk and reassembling them. This is
usually done by examining the header (the first few bytes) and
footer (the last few bytes) of a file.
Data Carving

Difference between file recovery and file carving

File recovery techniques make use of the file system


information and, by using this information, many files can be
recovered. If the information is not correct (corrupted), then it
will not work.

File carving works only on raw data on the media and it is not
connected with file system structure. File carving doesn’t care
about any file systems which is used for storing files.
Data Carving

The most common general file carving techniques are:

1. Header-footer or header-“maximum file size” carving:


Recover files based on known headers and footers or
maximum file size

 JPEG —”xFFxD8″ header and “xFFxD9” footer


 GIF —”x47x49x46x38x37x61″ header and “x00x3B”
footer
 PST —”!BDN” header and no footer
 If the file format has no footer, a maximum file size is used
in carving program,
Data Carving

The most common general file carving techniques are:

2. File structure-based carving


 This technique uses the internal layout of a file
 Elements are header, footer, identifier strings, and size
information
Data Carving

3. Content-based carving

 Content structure is loose (MBOX, HTML, XML)


 Content characteristics
 Character count
 Text/language recognition
 White and black listing of data
 Statistical attributes (Chi^2)
 Information entropy
Data Carving

Tools widely used for file carving: Data recovery tools play
an important role in most forensic investigations because smart
malicious users will always try to delete evidence of their
unlawful acts. Some important data recovery tools are:
1. Scalpel
2. Foremost
3. jpegcarve
4. FTK
5. Encase
6. PhotoRec
7. Revit
8. TestDisk
9. Magic Rescue
10.F-Engrave

You might also like