This is usually done by examining the header (the first few bytes) and footer (the last few bytes) of a file.įile carving is a great method for recovering files and fragments of files when directory entries are corrupt or missing. File carving is the process of reconstructing files by scanning the raw bytes of the disk and reassembling them. Instead, they simply remove the knowledge of where it is. In simple words, many filesystems do not zero-out the data when they delete it. In the case of damaged or missing file system structures, this may involve the whole drive. Unallocated space refers to the area of the drive which no longer holds any file information as indicated by the file system structures like the file table.
It also called “carving,” which is a general term for extracting structured data out of raw data, based on format specific characteristics present in the structured data.Īs a forensics technique that recovers files based merely on file structure and content and without any matching file system meta-data, file carving is most often used to recover files from the unallocated space in a drive. It is a method that recovers files at unallocated space without any file information and is used to recover data and execute a digital forensic investigation. File carving is a process used in computer forensics to extract data from a disk drive or other storage device without the assistance of the file system that originality created the file.