276 | Page
Ch a p t e r 2 3 - D a t a R e c o v e r y
Copyright GetData Forensics Pty Ltd 2010 - 2015, All rights reserved.
File carving is a well-known computer forensics term used to describe the
identification and extraction of file types from unallocated clusters using file
signatures. A file signature, also commonly referred to as a magic number, is ͞a
constant numerical or text value used to identify a file format or protocol͟ (16).
An example of a file signature is shown in Figure 218, which is the beginning of a .jpg
file in Hex view:
Figure 218, View of .jpg file header
The object of the carving exercise is to identify and extract (carve) the file based on
this signature information alone. Carrier (2005) describes File carving as:
͞…a process where a chunk of data is searched for signatures that correspond
to the start and end of known file types. The result of this analysis process is a
collection of files that contain one of the signatures. This is commonly
performed on the unallocate space of a file system and allows the investigator
to recover files that hav no metadata structures pointing to them͟. (2)
CARVING ADVANTAGES AND LIMITATIONS
File carving has both advantages and limitations. These include:
File system independent
File carving is essentially file system independent. A file type will exhibit the
same file signature and structure on under FAT, NTFS, HFT, EXT2 or other file
systems and can be data carved accordingly. File carving is also effective
method of recovery when the file system is corrupt or destroyed.
A drawback of file carving is that it can take a considerable amount of time to
process a large drive. The lower the level of search (i.e. cluster v͛s sector v͛s
byte), and the greater the number of file signatures searched for
simultaneously, the longer the search.