File Carving
What is File Carving?
File CarvingA forensic technique that recovers files from unallocated space or raw data by recognizing file signatures, headers, and footers without relying on filesystem metadata.
File carving reconstructs deleted or fragmented files directly from a disk image, memory dump, or network capture, even when the filesystem entries that describe them are missing or corrupted. Carvers identify candidate files by scanning for known magic bytes (such as JPEG FFD8FFE0 or PDF %PDF-) and either reading to a recognized footer or applying size heuristics. Tools include PhotoRec, Scalpel, Foremost, bulk_extractor, and Magnet AXIOM. Advanced carvers (SmartCarving) reassemble fragmented files using structure-aware logic. Carving is essential when adversaries delete artifacts or formatted media is involved, but recovered files require validation because false positives are common.
● Examples
- 01
Recovering deleted JPEG images from a wiped USB drive with PhotoRec.
- 02
Carving Office documents out of a memory dump using bulk_extractor.
● Frequently asked questions
What is File Carving?
A forensic technique that recovers files from unallocated space or raw data by recognizing file signatures, headers, and footers without relying on filesystem metadata. It belongs to the Forensics & IR category of cybersecurity.
What does File Carving mean?
A forensic technique that recovers files from unallocated space or raw data by recognizing file signatures, headers, and footers without relying on filesystem metadata.
How do you defend against File Carving?
Defences for File Carving typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for File Carving?
Common alternative names include: Data carving, Signature-based recovery.