Carving is an irreplaceable technique widely used in data recovery and digital
forensics. By using carving, we essentially perform a low-level scan of the media
for various artifacts, looking for signatures—specific sequences of bytes, characteristic
of this or that type of data.
SQLite database signature in Belkasoft Hex Viewer
This also means that carving disregards files themselves in performing the byte
sequence search, thus becoming extremely helpful in cases where data has been corrupted
or deleted. However, its usefulness is not limited to one particular scenario. Let
us take a look at various cases where carving comes in handy.
Renamed, relocated, hidden data
We have talked briefly about using carving to find hidden, renamed, and relocated
data in our whitepaper about
common anti-forensic efforts. Since carving does not take into account the file
itself, it does not care about its name and location either. Therefore, by performing
carving, we ensure that files that have been slightly modified (e.g. change of original
location, name, or extension) will be found on the media despite the changes the
user applied in an attempt to conceal data. This also applies to data hidden inside
containers and other forms of hidden data. As an example, images inserted into an
MS Word document or scripts injected into a PDF file would not be visible in the
file system, however, we would be able to find them using carving.
Deleted data in unallocated space, free space, and slack space
Another important implication of carving is searching for data inside slack space
and unallocated space.
Please register to access full versions of Belkasoft articles
Please provide real information, the access link will be sent to your email.