File Carving is a technique that is used to recover deleted or lost files and fragments of a file from the hard disk when the absence of system metadata.
By file carving we can also recover files from the unallocated space in the hard disk in which file metadata is missing or deleted. File carving helps to extract valuable data in case of a cyber-crime incident analysis.
Table of Contents
A cyber criminal might try to delete valuable data or try to delete the entire partition from the hard disk and then merge the deleted partition’s unallocated space with system’s partition to make it difficult for the investigator in the examination.
In Computer forensics, file carving is the technique to bypass the anti-forensic measures used by the suspect.
File Header Analysis
File header is a signature or a unique identification number, which is a constant numeric or text value that determines file format.
It is placed at the beginning of a file, so the operating system and other software know what to do with the following contents.
For example, a user can change a .jpg extension to .dll file by renaming it. However, changing file extension does not change the file header, an analysis can tell us the actual file format.
By analysing hex signature of the image, we can identify the actual format of the file. Some of the commonly used extensions and their hex signature are listed below.
| File Extension | Hex Signature |
|---|---|
| JPG | FF D8 |
| DOC, DOT, PPS, PPT, XLA, XLS, WIZ | D0 CF 11 E0 A1 B1 1A E1 |
| PNG | 89 50 4E 47 0D 0A 1A 0A |
| 25 50 44 46 |
Hex signature of a .jpg file is shown below:
Investigators can look for these file hex signatures using tools like
Windows File Carving
When a user deletes a file, it is not deleting the entire file from the hard disk. Windows tracks its files and folders using pointers on the hard drive and tells the system where the file begins and ends.
So, basically when a user deletes a file, the pointer gets deleted but the contents of the file remain on the disk. These deleted files can be recovered from the hard disk until the sectors containing the contents of the file are overwritten with new
data.
Forensic Data Recovery tools can recover these data. Some of the tools are
In Windows, File Carving is different from both SSD and HDD. If TRIM is enabled in SSDs, it is difficult to recover.
What is TRIM?
TRIM commands are important for managing SSD (Solid-State-Drive) through the ATA (Advanced Technology Attachment) interface. Trim tells your SSD which pieces of data can be erased.
In default, TRIM is enabled is SSDs. Windows will send an instruction to your solid-state drive every time you delete a file if the TRIM is enabled.
We can check the status of the SSD, whether TRIM is enabled or not by using the following commands.
Run this following command on Command Prompt Window:
fsutil behavior query DisableDeleteNotify
If you see DisableDeleteNotify = 0, TRIM is enabled.
If you see DisableDeleteNotify = 1, TRIM is disabled.
While performing an analysis, the investigator should check the status of SSDs TRIM feature.
SSD & HDD File Carving
While performing file carving analysis on TRIM enabled SSD - it is not possible to recover data from the disk.
Some of the forensic tools such as Autopsy, Ease US Data Recovery etc. can be used to carve the data from the disk.
These tools only list some of the files that deleted, but the deleted file cannot be recovered as the TRIM is enabled.
If the TRIM is disabled - the forensic analysis can be done easily and can perform file carving to recover lost data from the drive.
In HDDs, file carving can be performed without any difficulty.
The forensic image can be acquired using tools like FTK Imager and DD utility.
Conclusion
Cyber Criminals frequently uses employ anti-forensic techniques to evade detection and investigation.
However, the cyber security and digital forensics community has developed plenty of tools to counter these methods.
By continually advancing our digital forensic capabilities, we can enhance our ability to fight cyber-crime and safeguard our digital world.