File Carving In Depth

“File carving,” or sometimes simply “carving,” is the process of extracting a collection of data from a larger data set. Data carving techniques frequently occur during a digital investigation when the

unallocated file system space is analyzed to extract files. The files are “carved” from the unallocated space using file type-specific header and footer values.

so File carving isn't file Recovery as in the last you need file system structure .. let's have this topic in some details J

File carving is a powerful technique for recovering files and fragments of files when directory entries are corrupt or missing. The block of data is searched block by block for residual data matching the file type-specific header and footer values. Carving is also especially useful in criminal cases where the use of carving techniques can recover evidence. In certain cases related to child pornography, law enforcement agents are often able to recover more images from the suspect’s hard disks by using carving techniques .

Carving deals with the raw data on the media and doesn’t use the file system structure during its process. A file system (such as FAT16, FAT32, NTFS, EXT, and others) is a structure for storing and organizing computer files and the data they contain. Although carving doesn’t care about which file system is used to store the files, it could be very helpful to understand how a specific file system works. In the FAT file system for example, when a file is deleted, the file’s directory entry is changed to show that the file is no longer needed (unallocated). The first character of the filename is replaced with a marker, but the file data itself is left unchanged. Until it’s overwritten, the data is still present.

Carving makes use of the internal structure of a file. A file is a block of stored information like an image in a JPEG file. A computer uses file name extensions to identify files content.

File Recovery techniques make use of the file system information that remains after deletion of a file. By using this information, many files can be recovered. For this technique to work, the file system information needs to be correct. If not, the files can’t be recovered. If a system is formatted, the file recovery techniques will not work either.

Files are stored in file systems :

• Windows (FAT 12/16/32, NTFS)

• Linux (Ext2/Ext3/Ext4, Reiser)

• Mac (HFS, HFS+/HFSX)

• File systems store data in clusters or blocks

• Files are usually stored sequentially by the OS on media

So recovery has some levels from delete to recycle bin and empty it to format disk and overwrite some data or even bad sector :D .

General File Carving Techniques

The most common general file carving techniques are:

• Header-footer or header- “maximum file size” carving

• File structure based carving

• Content based carving

Header-footer Carving

• Recover files based on known Header and Footers or

maximum file size

• JPEG: “\xFF\xD8” header and “\xFF\xD9” ‘footer’

• GIF: “\x47\x49\x46\x38\x37\x61” header and “\x00\x3B”

footer

• PST: “!BDN” header and no footer

• If the file format has no footer a maximum file size is

used in the carving program

• Known header footers carvers are Scalpel, Foremost

and File finder (EnCase)

File Structure Based Carving

• This technique uses the internal layout of a file

• Elements are header, footer, identifier strings and size

information

• Known carvers which use this technique are Foremost

and PhotoRec

Content-based Carving

• Content structure

• Loose structure (MBOX, HTML, XML)

• Content characteristics

• Character count

• Text/Language recognition

• White and Black listing of data

• Statistical attributes (Chi^2)

• Information entropy

remember : File carving is a recovery technique that merely considers the contents and structures of files instead of file system structures or other meta-data which is used to organize data on storage media .

file carving terminology

Tools :

There are different carving tools available. Most of them are open source, and others are commercial solutions offered by companies. Due to the fact that carving is a developing technique, more and more tools are becoming available. Some of the most commonly used carving tools are:

• Foremost—Originally designed by the US Air Force, it is a carver designed for recovering files based on their headers, footers, and internal data structures

• Scalpel—Scalpel is a rewrite of Foremost focused on performance and a decrease of memory usage. It uses a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is file system independent and will carve files from FATx, NTFS, EXT2/3, or raw partitions. Scalpel will not allow you to output to the same directory you’re carving from.

• Photorec—Photorec is a data recovery software tool designed to recover lost files from digital camera storage media (CompactFlash, Memory Stick, Secure Digital, SmartMedia, Microdrive, MMC, USB flash drives, and others), hard disks, and CD-ROMs. It recovers most common photo formats, audio files, document formats, such as Microsoft Office, PDF, HTML, and archive/compression formats. A complete list of supported file formats can be read on the Photorec website. PhotoRec does not attempt to write to the damaged media from where recovery is being performed. Recovered files are instead written to the directory from where you are running PhotoRec or any other directory you choose.

More information about data carving tools and recovery tools can be found on forensicwiki .

Datasets :

• FAT carving test dataset (15 files)

• DFRWS 2006 challenge image (32 files)

References :
http://www.mcafee.com/in/resources/white-papers/foundstone/wp-intro-to-file-carving.pdf

https://digital-forensics.sans.org/summit-archives/2010/eu-digital-forensics-incident-response-summit-bas-kloet-advanced-file-carving.pdf

http://www.fhstp.ac.at/forschung/institute_bereiche/institutfueritsicherheitsforschung/publikationen/tavolato/MM_FileCarving.pdf