What are file carving techniques and when are they used?

Introduction to File Carving

Digital forensics often requires recovering files that have been deleted, hidden, or damaged. While some recovery methods rely on file system metadata (like the File Allocation Table or MFT), metadata can be corrupted, overwritten, or intentionally deleted by someone with forensic knowledge. File carving is a different approach: instead of trusting file system metadata, it searches through raw disk data for file signatures and reconstructs files from those signatures alone.

File carving has become an essential technique in digital forensics, incident response, and cybersecurity investigations. It allows forensic analysts to recover evidence that would otherwise be lost, discover hidden files intentionally concealed by attackers, and restore data from damaged storage devices. Understanding when and how to use file carving can mean the difference between successfully investigating a breach or missing critical evidence.

What is File Carving?

The Core Concept

File carving is the process of recovering files from raw data without using file system metadata. It works by:

1. Searching for file signatures (magic numbers) that indicate the start of a file
2. Scanning for file delimiters or structures that indicate the end of a file
3. Extracting the data between start and end markers
4. Reassembling the complete file

Unlike traditional file recovery that relies on the file system knowing where files are located, file carving treats the entire storage device as raw data and searches for recognizable file patterns.

Magic Numbers and File Signatures

Every file type has a distinctive beginning—a magic number or file signature. For example:

• JPEG images: Start with FF D8 FF and end with FF D9
• PNG images: Start with 89 50 4E 47 (‰PNG)
• PDF documents: Start with 25 50 44 46 (%PDF)
• ZIP archives: Start with 50 4B 03 04 (PK..)
• EXE executables: Start with 4D 5A (MZ)
• GIF images: Start with 47 49 46 38 (GIF8)

By searching for these signatures in raw disk data, forensic analysts can locate files even if the file system says they don't exist.

Single-Step vs. Two-Step File Carving

Single-step carving: Searches for a file's magic number (start signature) and assumes the next file's start signature marks the end. Works well for fixed-size files or files with clear boundaries, but can miss fragmented files.

Two-step carving: Searches for both start and end signatures specific to each file type. More accurate but requires knowing the file structure intimately.

When File Carving is Used

1. Deleted File Recovery

When a file is deleted, most file systems don't actually erase the data—they just mark the space as available for reuse. Until that space is overwritten, the file data remains intact.

Scenario: A user deletes a folder containing evidence of wrongdoing. The file system no longer shows the files, but the data still exists on disk. File carving recovers the deleted files by searching for their signatures.

Process:

1. Image the storage device at the forensic facility
2. Use carving tools to search the entire image for JPEG signatures
3. Recover all JPEG files regardless of what file system metadata says
4. Analyze recovered files for evidence

2. Damaged or Corrupted Storage

When storage devices are physically damaged or file systems are corrupted, file system metadata becomes unreadable.

Scenario: A user's hard drive was dropped, causing physical damage. Windows can't mount the drive or read the partition table. But the file data is still there.

Process:

1. Image the damaged drive's raw data
2. File carving tools don't require file system metadata
3. Search raw data for file signatures
4. Recover as much data as possible from the uncorrupted portions

3. Discovering Hidden or Concealed Files

Sophisticated threat actors or malicious insiders might intentionally hide files using techniques like:

• Alternate Data Streams (ADS): Windows feature allowing hidden data in named streams
• Slack space hiding: Storing data in unused space within files
• Steganography: Hiding data within other files
• Partition manipulation: Creating hidden partitions not visible in normal file system navigation

Scenario: A malware developer hides a command-and-control server list in image slack space. Normal file system operations show just an image, but file carving reveals the hidden data.

Process:

1. Perform file carving on the entire disk image
2. Examine carved files more carefully for concealment techniques
3. Extract hidden data from slack space
4. Analyze for malicious intent

4. Data Loss and Disaster Recovery

Organizations hit by ransomware or other destructive incidents may lose file systems entirely.

Scenario: Ransomware encrypts files and deletes backups. The storage device is wiped. But before the wipe completes, technicians remove the drive. File carving might recover fragments of files from sectors the ransomware didn't completely overwrite.

5. Analysis of Unallocated Space

"Unallocated space" is storage marked as free by the file system. It might contain:

• Deleted files waiting to be overwritten
• Slack space from existing files
• Hidden data intentionally placed there
• Temporary files created during system operation

File carving searches unallocated space specifically to find evidence that normal file browsing would miss.

File Carving Tools and Techniques

Popular Commercial Tools

Forensic Toolkit (FTK): Comprehensive forensic platform with built-in file carving:

• Supports hundreds of file types
• Can recover partial or fragmented files
• Includes filtering to reduce false positives
• Used by law enforcement and enterprise incident responders

EnCase: Enterprise evidence examiner with advanced carving capabilities:

• Customizable file signatures
• Handles large-scale investigations
• Provides chain-of-custody documentation

X-Ways Forensics: Powerful hexadecimal editor with file carving:

• Lightweight and efficient
• Excellent for technical analysts
• Free version available for education and limited use

Free and Open-Source Tools

Foremost: Command-line tool scanning for file signatures:

foremost -i disk.img -o output_directory

Searches the disk image for known file types and extracts them. Configuration file specifies which file types to search for.

Scalpel: Advanced file carving tool with more sophisticated matching:

scalpel -i disk.img -o output_directory

Uses a configuration file to define search patterns for each file type.

Binwalk: Analyzes binary files and can extract embedded files:

binwalk -e disk.img

Automatically detects and extracts many file types, including compressed archives and nested files.

PhotoRec: Specializes in image recovery:

photorec /dev/sda1

Recovers digital photographs, video, and audio from storage devices.

Advanced Carving Techniques

Entropy-based carving: Analyzes the randomness of data to identify file boundaries. Files often have distinct entropy signatures.

Structure-aware carving: Searches for file structures beyond just magic numbers. For example, analyzing JPEG segment markers to ensure structural integrity.

Fragmentation handling: When a deleted file is fragmented across non-contiguous disk sectors, sophisticated carvers can reassemble pieces by analyzing file structures.

Keyword searching: In addition to file signatures, search for specific text or byte patterns. Useful for finding emails, documents, or text-based evidence.

File Carving Process in Investigations

Step 1: Image the Storage Device

Before performing any analysis, create a forensic image of the storage device:

dd if=/dev/sda of=/evidence/disk_image.img bs=4M

This creates an exact, bit-for-bit copy that forensic analysis works from. The original device is preserved untouched.

Step 2: Verify the Image

Calculate a hash of the image to prove its integrity:

md5sum disk_image.img > disk_image.md5
sha256sum disk_image.img > disk_image.sha256

If the image is ever questioned, the hash proves it hasn't been altered.

Step 3: Identify File Types of Interest

Decide what file types you're looking for:

• Images? (JPEG, PNG, GIF, BMP)
• Documents? (PDF, DOCX, XLSX)
• Executables? (EXE, DLL, ZIP)
• Emails? (PST, OST, EML)

Different investigations focus on different file types.

Step 4: Run File Carving

Execute the carving tool with appropriate parameters:

foremost -t jpg,pdf,zip -i disk_image.img -o /evidence/carved_files

This searches for JPEG, PDF, and ZIP files within the disk image, extracting all found files.

Step 5: Review Carved Files

The tool creates an output directory with recovered files. Review them:

• Count recovered files
• Spot-check files for validity (open some images to verify they're not corrupted)
• Look for unexpected file types or hidden content
• Cross-reference with investigative leads

Step 6: Analyze for Evidence

Examine carved files for investigatively relevant content:

• Spreadsheets with financial records
• Email archives with communication history
• Images showing prohibited activity
• Document metadata showing creation/modification history
• Hidden data within files (steganography)

Step 7: Document and Preserve

Create a detailed report:

• Hash values of carved files
• Timeline of file creation/modification
• Chain of custody for all evidence
• Findings relevant to the investigation

Challenges and Limitations of File Carving

Challenge 1: Fragmentation

A large file might be scattered across many non-contiguous sectors. File carving typically doesn't reassemble fragmented files well.

Impact: You might recover partial files rather than complete ones.

Mitigation: Use advanced carving tools that attempt fragment reassembly. Manually recover large files by understanding file structures.

Challenge 2: False Positives

When searching for file signatures, you might find bytes that match by coincidence within some other file.

Example: The byte sequence FF D8 FF (JPEG start) might appear within a ZIP file accidentally, causing the carver to misidentify a JPEG start where none exists.

Mitigation: Use file-type specific tools that verify complete file structure, not just signatures.

Challenge 3: Overwritten Data

If deleted file sectors have been overwritten (by new files, temporary data, or intentional wiping), the original data is lost.

Impact: Complete file recovery becomes impossible, though partial recovery might succeed.

Challenge 4: Encrypted Files

Encrypted files appear as random data even after carving. If the data was intentionally encrypted, recovery doesn't reveal the content.

Mitigation: Look for encryption keys, passphrases, or disk encryption information that might allow decryption.

Challenge 5: Performance

Carving through a 1TB disk image looking for every possible file type takes hours or days.

Mitigation: Focus on specific file types relevant to your investigation. Use keyword searching for more targeted results.

Real-World Carving Scenarios

Scenario 1: Insider Threat Investigation

An employee allegedly stole source code. They claim they never had access to the files. But investigators carve their work computer and recover multiple versions of the company's proprietary code files, including versions deleted months ago.

Technique: JPEG and PDF carving to find documents. Result: Recovered files with metadata showing the employee's creation dates prove they had access and took the files.

Scenario 2: Data Breach Forensics

A company was hacked. Investigators need to understand what data was exfiltrated. They image the attacker's server (obtained through law enforcement).

Technique: File carving of the entire server, looking for all file types. Result: Recovered encrypted backups, configuration files, and stolen customer databases showing exactly what was compromised.

Scenario 3: Ransomware Analysis

Ransomware infected a system. The encryption process created temporary files. Some files were partially encrypted before the system crashed. Investigators need to understand what data was lost.

Technique: Carving to find intact and partially encrypted file copies. Result: By examining intact and partial files, the forensic team understands what ransomware attacked, helping advise the organization on notification obligations.

Best Practices for File Carving Investigations

1. Always image first: Never run carving tools on original devices
2. Calculate hash values: Prove image integrity throughout investigation
3. Focus on relevant file types: Don't carve for everything; narrow to investigatively significant files
4. Verify carved files: Spot-check recovered files to ensure they're valid
5. Document methodology: Explain your carving approach to meet evidentiary standards
6. Preserve metadata: Note carving tool versions, parameters used, and date/time
7. Cross-reference: Compare carved files to other evidence sources
8. Consider fragmentation: Understand that large files might not be completely recovered
9. Address false positives: Verify that identified files are genuine, not coincidental signature matches

Conclusion

File carving is a powerful forensic technique for recovering deleted files, discovering hidden data, and analyzing unallocated space without depending on file system metadata. By searching for file signatures and structures within raw disk data, forensic analysts can recover evidence even when file systems are corrupted or intentionally hidden.

Whether investigating insider threats, analyzing compromised systems, recovering from ransomware attacks, or handling damaged storage devices, file carving provides a crucial capability. Combined with other forensic techniques and properly documented in accordance with legal standards, file carving often becomes the key evidence that solves complex investigations.

Organizations that develop expertise in file carving—understanding both the capabilities and limitations—gain a significant advantage in detecting breaches, responding to incidents, and prosecuting those responsible for data theft or system compromise.