In many respect, file carving is the heart of computer forensics examination. Digital forensic tools can help automate the process, but it frequently comes down to the skills and training of the analyst. File carving involves a bit-by-bit analysis of the contents of a hard drive, searching for remnants of files which have been marked for deletion.
Computers store information in sectors and clusters, but these clusters may be scattered in many different locations on the hard drive. Fragments of partially-overwritten files may also exist within allocated clusters.
Related files will often have identical metadata within file headers, which help us to identify which fragments may be important, which ones we can ignore and which fragments fit together. Once we identify fragments which may have come from the same file, forensic recovery becomes a digital jigsaw puzzle working out how they should fit together.
File carving is a painstaking process, but the time taken can be very rewarding. When we recover a deleted file, photo or e-mail it can give us definitive evidence confirming or refuting the suspicions of our clients.
Back To Glossary