Editor’s note: File Carving is a very important topic in a digital investigation and computer forensics. Because key evidence data is not always just there for you to take. According to our statistics, out of every 10 computer forensic cases, there are at least 4 cases that require data recovery works.

File carving, as a crucial data recovery technology, enables digital investigators to retrieve important data and evidence from damaged or corrupted data resources. So in this article, SalvationDATA forensic experts will talk about file carving and its use in digital forensics.

SalvationDATA Computer Forensics DRS

About file allocation?

In order to better understand file carving, let’s first talk about file allocation. When a partition is created, a file system structure will be established, and all digital files are mapped and managed by the file system. The data area that is being managed by a functioning file system is called allocated space. Recovering files from an allocated space are normally very easy because even after a file has been deleted, its directory would still exist in the file system. We can simply find the lost files by going through all file directories.

However, if somehow the partition or file system is corrupted, the data area of this partition will become no longer allocated, this kind of data area is called unallocated space. Recovering files from unallocated data space are much more complicated, and this is where file carving technology shows its advantages.

2

What is file carving?

File carving is a process used in computer forensics to extract data from a disk drive or other storage device without the assistance of the file system that originally created the file. It is a method that recovers files at unallocated space without any file information and is used to recover data for forensic investigations.

File carving is to recover files by matching certain file signatures within the file raw data. For example, a JPEG image file begins with the header 0xFFD8 and ends with 0xFFD9. This applies to all JPEG image files, thus data recover algorithms can locate and recover JPEG files by matching this fixed signature and packing the raw data. Because file carving technology works directly on the raw data of a storage medium and does not depend on any file system structure to work. So it is able to recover lost files when other recovering methods fail to recover.

3

Discover the powerful file carving feature integrated into SalvationDATA DRS.

SalvationDATA DRS (Data Recovery System) is the next generation intelligent all-in-one forensic data recovery tool which can help you acquire and recover data from both good and damaged storage media like HDD simply and easily.

Check out below instructions on how to utilize DRS’s powerful file carving feature to forensically recover lost files that seems unrecoverable.

Step 1. Connect the target storage device to the DRS unit or directly to your PC for inspection.

Step 2. Run DRS software, and click “File Recovery & File Carving” in the home page.

4

Step 3. Check the boxes in front of the partitions that need to be inspected. If the partition failed to be identified, or if there is no partition at all, right click on the drive and choose “Add Partition” to specify a data area to inspect.

5

Step 4. Switch the scanning mode to “Raw Scan”, then click the “Raw” icon to open file carving configurations.

6

Step 5. Check the boxes of wanted file formats, you can also add custom file carving scripts if your target file format is not on the list.

7

Step 6. Click “OK” to confirm settings, then click “Scan” to begin the file carving process.

8

Step 7. Wait for the scan to complete, and DRS will automatically display all recovered files. After crucial evidence files are found, you can export and generate a forensic report.

9

Conclusion

DRS supports more than 300 file formats for file carving, and we even allow users to add custom scripts to support additional file formats. File carving is going to help bring back lost files more than ever, and increase your chance to find important digital evidence regardless of the storage device’s health condition. Come and check out our website for more information. You can also go to our resource page to download the software for free. We welcome you to contact us and claim your free product trial!

Advertisements