“File carving,”
or sometimes simply “carving,” is the process of extracting a collection of
data from a larger data set. Data
carving techniques frequently occur during a digital investigation when the
unallocated file system
space is analyzed to extract files. The files are “carved” from the unallocated space
using file type-specific header and footer values.
so File carving isn't file Recovery as in the last you need file system
structure .. let's have this topic in some details J
File carving is
a powerful technique for recovering files and fragments of files when directory
entries are corrupt or missing. The block of data is searched block by block
for residual data matching the file type-specific header and footer values.
Carving is also especially useful in criminal cases where the use of carving
techniques can recover evidence. In certain cases related to child pornography,
law enforcement agents are often able to recover more images from the suspect’s
hard disks by using carving techniques .
Carving deals with the
raw data on the media and doesn’t use the file system structure during its process.
A file system (such as FAT16, FAT32, NTFS, EXT, and others) is a structure for
storing and organizing computer files and the data they contain. Although
carving doesn’t care about which file system is used to store
the files, it could be very helpful to understand how a specific file system
works. In the FAT file system for example, when a file is deleted, the file’s
directory entry is changed to show that the file is no longer needed
(unallocated). The first character of the filename is replaced with a marker,
but the file data itself is left unchanged. Until it’s overwritten, the data is
still present.
Carving makes use of
the internal structure of a file. A file is a block of stored information like
an image in a JPEG file. A
computer uses file name extensions to identify files content.
File Recovery techniques make use of the file
system information that remains after deletion of a file. By using this
information, many files can be recovered. For this technique to work, the file
system information needs to be correct. If not, the files can’t be recovered.
If a system is formatted, the file recovery techniques will not work either.
Files are stored in file systems :
• Windows (FAT 12/16/32, NTFS)
• Linux (Ext2/Ext3/Ext4, Reiser)
• Mac (HFS, HFS+/HFSX)
• File systems store data in
clusters or blocks
• Files are usually stored
sequentially by the OS on media
So recovery has some levels from delete to recycle bin and empty
it to format disk and overwrite some data or
even bad sector :D .
General File Carving Techniques
The most common general file
carving techniques are:
• Header-footer or header- “maximum
file size” carving
• File structure based carving
• Content based carving
Header-footer
Carving
• Recover files based on known
Header and Footers or
maximum file size
• JPEG: “\xFF\xD8” header and
“\xFF\xD9” ‘footer’
• GIF: “\x47\x49\x46\x38\x37\x61”
header and “\x00\x3B”
footer
• PST: “!BDN” header and no footer
• If the file format has no footer
a maximum file size is
used in the carving program
• Known header footers carvers are
Scalpel, Foremost
and File finder (EnCase)
File
Structure Based Carving
• This technique uses the internal
layout of a file
• Elements are header, footer,
identifier strings and size
information
• Known carvers which use this
technique are Foremost
and PhotoRec
Content-based
Carving
• Content structure
• Loose structure (MBOX, HTML, XML)
• Content characteristics
• Character count
• Text/Language recognition
• White and Black listing of data
• Statistical attributes (Chi^2)
• Information entropy
remember : File carving is a recovery technique that merely
considers the contents and structures of files instead of file system
structures or other meta-data which is used to organize data on storage media .
file carving terminology
Tools :
There are different
carving tools available. Most of them are open source, and others are
commercial solutions offered by companies. Due to the
fact that carving is a developing technique, more and more tools are becoming
available. Some of the most commonly used carving tools are:
• Foremost—Originally designed by
the US Air Force, it is a carver designed for
recovering files based on their headers, footers, and internal data structures
• Scalpel—Scalpel is a rewrite of
Foremost focused on performance and a decrease of memory usage. It uses a
database of header and footer definitions and extracts matching files from a
set of image files or raw device files. Scalpel is file system independent and
will carve files from FATx, NTFS, EXT2/3, or raw partitions. Scalpel will not
allow you to output to the same directory you’re carving from.
• Photorec—Photorec is a data
recovery software tool designed to recover lost files from digital camera storage
media (CompactFlash, Memory Stick, Secure Digital, SmartMedia, Microdrive, MMC,
USB flash drives, and others), hard disks, and CD-ROMs. It recovers most common
photo formats, audio files, document formats, such as Microsoft Office, PDF,
HTML, and archive/compression formats. A complete list of supported file
formats can be read on the Photorec website. PhotoRec does not attempt to write to the damaged media from where recovery is
being performed. Recovered files are instead written to the directory from
where you are running PhotoRec or any other directory you choose.
More information about data carving tools and
recovery tools can be found on forensicwiki .
Datasets :
• FAT carving test dataset (15
files)
• DFRWS 2006 challenge image (32
files)
