glossary

File Carving 

file carvingFile Carving - File carving is the process of recovering computer files from a storage medium without the use of the standard file-system meta-data that is typically used during a normal file retrieval.  This technique is used extensively in data recovery processes where files may have been accidently deleted or the storage medium formatted or corrupted in some way.

To recover deleted files or files from a formatted device requires reading the device linearly, recovering as much of the raw data that remains as possible, and then using a series of assumptions about file structures and fragmentation patterns to attempt to rebuild the original files.

This process requires attempting enormous numbers of permutations to successfully rebuild entire files and because of this fact modern file carving software now utilize sophisticated models and sequential hypothesis testing algorithms to make the process more manageable. In essence the file carving software attempts to rebuild the data using a set of predefined data structure templates that are specifically selected based upon distinct markers that are contained within the raw data.

Nearly all of the data stored on any re-writable medium is fragmented to various degrees. During a file carving data retrieval process fragmentation is in large part the most difficult and time consuming aspect of recovering the data. Without the File Allocation Table (FAT) to identify the addresses of where each individual piece of a particular fragmented file is located, it becomes necessary to reconstruct data files with no knowledge of where the next piece of that fragment may reside. Additionally, the files may be separated into tens, or even hundreds of randomly scattered fragments that can be stored anywhere on the entire storage medium.

Gap carving is the process of locating two fragments, identifying whether they form a valid object when joined and if so reassembling them. This process is referred to as Bitfragment Gap Carving (BGC). Smart Carving goes a step further; this process makes use of heuristics regarding the fragmentation behavior of known file systems. Fragmented blocks are grouped according to their file type, they are then placed in sequence to approximate the original data, and finally they are reassembled to reproduce the lost data.

File carving has many applications and can be used to recover files not only from accidently deleted data but also from corrupted drives, scratched CDs/DVDs, over-written data and intentionally deleted file systems.

Technical Terms

A
    B
    C
    D
    E
    F
    G
    H
    I
    J
    K
    L
    M
    N
    O
    P
    R
    S
    T
    U
    V
    W