Greetings amazing readers! Last time I made an interactive guide demonstrating forensic imaging and how to acquire digital evidence from devices. Continuing where I left off, today I have made another excellent interactive guide on file recovery and forensic data carving. Today we will understand the basics of file recovery, basic data carving techniques, and the practical with some powerful forensic utilities to carve data from sample datasets.
Introduction to Data Carving
Data Carving or sometimes referred to as File Carving is an important technique performed during digital forensic investigations to acquire and recover data from acquired memory files. File carving retrieves data and files from unallocated space using specific characteristics, such as the file structure and file headers.
Unallocated space refers to that part of memory that does not belongs to any memory partition and has been marked as empty by the operating system. Although this part of the memory is unallocated for use, attributes of files such as header and footer are saved here that can be used to retrieve fragments or even complete parts of the deleted files.
Data carving utilizes this space the attributes to recover deleted files by carving the information saved in header and footers.
This is all the theory that is essential for our understanding. Now we will move to the practical part of our guide where we use awesome tools to carve data. To follow along, download the sample data sets on which we will perform the practical.
Download: Basic Data Carving Test#1 by Nick Mikus
The dataset is a memory image of a FAT32 file system that includes multiple deleted files of different file formats and extensions. The description of each file, including its hash is given at the bottom of the download page. After downloading the zip of the data set, extract it to a fresh directory and proceed further.
File Recovery with Foremost
Foremost is a widely popular command line tool in the world of digital forensics that recovers files from unallocated space using file headers and footers. The tool is powerful yet easy to use due to its simple syntax.
A simple command to carve everything from the image file looks like this:
foremost -i <input_file> -o <output_directory>
The output directory that we specified during carving contains all the files that are successfully carved by foremost, organized into different sub-directories by file type. Furthermore, an audit.txt file is generated that contains all the details and findings listed in a neat format.
Here’s a sample of jpg files that are successfully recovered by foremost:
A better way to use the tool is to specify selected file extensions to carve to reduce the time taken to recover files. While it is a wise choice to specify file type during carving, the extension must be known to use this method. The syntax to carve selected file types looks like this:
foremost -i <input_file> -t <extensions> -o <output_directory>
File recovery with Scalpel
While foremost is a great tool to retrieve and recover files from unallocated space, it consumes high ram and CPU while under operation. Resultantly, Scalpel was developed as an improvement of older versions of foremost. While it offers speed, it comes with some specifications that must be kept in mind while carving data. Unlike foremost, Scalpel does not carve all supported file formats on its own. The required file types must be specified in the Scalpel configuration file by the user before using it.
This file is called scalpel.conf and is located at etc/scalpel/
To specify file types, edit the configuration file and remove comments at the start of the line containing the file type. All file formats are commented on by default and must be edited as per the user’s preference. Please always have a backup of the configuration file before making any changes to the original file.
After specifying the file formats to carve, use Scalpel with the following syntax:
scalpel <input_file> -o <output_directory>
Similar to foremost, all recovered files are organized into different sub-directories based on the file format.
Please note that neither foremost, nor scalpel returns files with their original names, and the result often contains duplicates. Thus, remember to use both tools to verify your results, and do not rely on a single tool.
While foremost and Scalpel can recover images, audio, video, and compressed files, bulk_extractor extracts several additional types of information that can be very useful in digital forensic investigations. In addition to conventional file types and formats, Bulk Extractor is capable of extracting the following useful information from memory files:
- Credit Card Numbers
- Email addresses
- Online Search History from browsers
We will use a different data set for this part. Download it from the below link:
The syntax to extract carved files and data looks like this:
bulk_extractor -o output <input_file>
When listing the files in the output directory, you will get various text files that store different information extracted from the image file.
Please note that not all files contain information. Only extracted information is stored in relevant files.
This is it for this article. I believe this guide would have helped people learn or get started in digital forensics. If you liked this article, do contact me on my socials and share your feedback. I will see you in another amazing article, meanwhile here are some fun things you can do: