When we delete files from our computer or device, they are not completely lost until their memory locations are deleted during a device wipe. Many of their fragments still remain in unallocated memory and can be reconstructed theoretically.
What is File Carving?
File Carving is a process of reconstructing computer files which might have been formatted or effectively deleted by the user. The software has to accurately collect pieces from a large data pool present in the hard disk or other storages, even without helpful metadata indicators or other specific guidance.
File Carving tools use various markers like headers and footers and try to identify parts of a file. This software relies on heuristics and probability handling tools to successfully collect required files. Beyond this, advanced algorithms help to improve the file recovery results.
Though File Carving is largely based on guesswork, if we use the right tool with advanced features and capabilities, the file recovery outcomes will significantly improve and help bring order out of the chaos.
Best File Carving Tools
If you are mainly looking for Microsoft Event Viewer Logs, EVTXtract is perfect for you. This is one of the best tools available out there, which recovers and reconstructs the fragments of EVTX log files from raw binary data, memory image, and unallocated space.
If you are unaware, EVTX records are available in one of the most popular formats, but still, its recovery is not that easy. This is because these files are encoded using Microsoft-specific binary XML representation, and depends on the records found nearby. But when we are dealing with corrupted or unallocated space, the recovery has to go through a lot of phases.
The EVTXtract is actually a Python script, which you can easily run on any platforms like on Windows, Linux, and MacOS. Just invoke the script, provide the path to a binary image, and lastly wait until EVTXtract writes its results to the standard out stream.
bulk_extractor is another file carving tool that scans a directory of files, disk image and extracts helpful information without parsing the file system or file system structures. It can provide an output stream of many kinds of files including domain.txt, ccn.txt, ether.txt, exif.txt, find.txt, etc.
This tool is well versed with many essential and advanced capabilities and can be used in defence, intelligence, law enforcemen, and cyber-investigation applications. As it ignores the file system structure, bulk_extractor provide unmatched speed and thoroughness when compared to others.
Going a little bit deep, the program splits the disk up into 16MiByte pages and processes one page on each available core. This basically means the machines with 24 cores process a disk approximately 24 times faster than a 1-core machine. Despite this, bulk_extractor automatically detects, decompresses and recursively re-processes compressed data with a variety of advanced algorithms. It’s available for Windows and Linux systems.
Scalpel is also a very good file carving and indexing application for Windows and Linux systems. It was initially released in 2005 and based on Foremost 0.69. After a number of releases, Scalpel has improved a lot.
Talking about its new public release v2.0, it comes with minimum carve sizes, support of regular expressions for headers/footers, asynchronous I/O to overlap disk operations with pattern matching, massively multithreading for quicker execution on multicore CPUs, etc. Scalpel is even able to process structured file types containing embedded files.
This file carving tool is based on pattern recognition that describes a particular file or data fragment types. The patterns can be based on either binary strings or regular expressions. If you are interested, you can find the number of default patterns in the configuration file included in the distribution scalpel.conf. Overall, it’s a very good data carving tool for a large amount of data.
I hope you found these tools useful. If you are a beginner and looking for a proper file and data carving tool, just don’t fire queries on Google and go to random pages. A simple mistake could lead to the installation of malicious tool and loss of data. Always seek authentic sources and read reviews before proceeding further.