Carving and its Implementations in Digital Forensics

Igor Mikhailov © Belkasoft Research


Carving is an irreplaceable technique widely used in data recovery and digital forensics. By using carving, we essentially perform a low-level scan of the media for various artifacts, looking for signatures—specific sequences of bytes, characteristic of this or that type of data.

SQLite database signature in Belkasoft Hex Viewer

This also means that carving disregards files themselves in performing the byte sequence search, thus becoming extremely helpful in cases where data has been corrupted or deleted. However, its usefulness is not limited to one particular scenario. Let us take a look at various cases where carving comes in handy.

Renamed, relocated, hidden data

We have talked briefly about using carving to find hidden, renamed, and relocated data in our whitepaper about countering common anti-forensic efforts. Since carving does not take into account the file itself, it does not care about its name and location either. Therefore, by performing carving, we ensure that files that have been slightly modified (e.g. change of original location, name, or extension) will be found on the media despite the changes the user applied in an attempt to conceal data. This also applies to data hidden inside containers and other forms of hidden data. As an example, images inserted into an MS Word document or scripts injected into a PDF file would not be visible in the file system, however, we would be able to find them using carving.

Deleted data in unallocated space, free space, and slack space

Unallocated space

Another important implication of carving is searching for data inside slack space and unallocated space.

Please register to access full versions of Belkasoft articles

Igor Mikhailov © Belkasoft Research