By Richard Harding
Introduction
File carving is a skill any forensic examiner will likely find themselves in need of at some point in their career, whether to recover deleted or damaged files, analyse data within an unallocated area of a storage device or work with fragmented data, understanding this technique is an almost certainty. This article aims to introduce the subject of file carving to forensic examiners, look at the difference between file carving and file recovery, demonstrate basic methods to carve files within a Windows and Linux environment and discuss some of the more advanced elements of file and data carving
What is File Carving?
File carving is defined as “A technique which identifies and extracts files from unallocated [storage] areas, based on signatures found within the file content, and not by using file-system metadata” (Garfinkel 2007). It is a method used by forensic examiners to extract structured data from acquired raw data.
File carving is most often used to recover files or data from unallocated space within a storage device. Unallocated space refers to the area(s) within a storage device that contains no file system information, such as a file allocation table and file metadata.
When examining a storage device, forensic examiners may often be faced with damaged or obfuscated files, in addition to unallocated storage space, and analysing any potential data in these circumstances can be of immense value to a forensic investigation. File carving is a file recovery method that differs from file recovery; this can....