SlideShare a Scribd company logo

File carving overview

Marco Alamanni, profile picture
Marco Alamanni

This section on file carving and data recovery discusses the examination of unallocated and slack disk space, deleted files, and the Windows recycle bin. It introduces file carving tools such as foremost, scalpel, and photorec, along with the process of extracting meaningful data from unallocated space. The document also highlights the challenges posed by file fragmentation during data recovery.

Software
1 of 10
Downloaded 12 times
1
2
3
4
5
Most read
6
7
Most read
8
9
Most read
10
Digital forensics with Kali Linux Marco Alamanni Section 4 File carving and data recovery www.packtpub.com
In this Section, we are going to take a look at… ● Introduction to file carving: unallocated and slack disk space, deleted files, Recycle Bin. ● File carving tools: Foremost, Scalpel and Photorec. ● Data extraction using Bulk-extractor
Course Name Author Name Video 4.1 File carving overview
In this Video, we are going to take a look at… ● Introduction to file slack and unallocated space, deleted files and the file carving process. • The Windows Recycle Bin and how to examine it with Rifiuti2.
Introduction to slack space ● Smallest addressable data units on filesystems are called blocks or clusters, that are usually 4 KB of size. • Files generally use various blocks, the last block being only partial ly used. • The space left between the end of the file’s data and the end of the block is called slack space. • Slack space can contain hidden data or remnants from previously deleted file.
Introduction to slack space
Deleted files and unallocated space ● When a file is deleted, the relative directory entry is removed but the entry in the file’s table remains. • The file’s allocated blocks become unallocated; they are marked as free but not modified until reallocated to other files. • The unallocated blocks’ contents could be recovered using The Sleuth Kit tools or data carving tools
Introduction to data carving ● Data carving is the process of identifying and extracting meaningful data out of the unallocated and slack space. • It relies on locating the magic number of a file and copying all the data until the end of file (EOF) marker is not found. • It is straightforward if the file’s data blocks are contiguous, could be challenging if the file is fragmented. • Algorithm for file carving that also handle fragmentation has been developed for data carving tools.
The Windows Recycle Bin ● On modern operating systems, deleted files are usually first moved to the Recycle Bin (on Windows) or analogous directory. • These files are permanently deleted if the Recycle Bin is emptied or can be restored in the original location. • On Windows XP and earlier deleted files are placed under C:Recycler subfolders, one for each user, and the relative information are stored in INFO2 index files. • On Windows Vista and newer deleted files are stored under C:$Recycle.Bin subfolders in files that begin with $I and $R.
Next Video File carving tools

More Related Content

ODP
File carving tools
Marco Alamanni
 
PPT
File Carving
Aakarsh Raj
 
PPTX
Advances in File Carving
Rob Zirnstein
 
PPT
File structures
Shyam Kumar
 
PPT
Files
kirtidhamija16
 
PPT
File organization
Ganesh Pawar
 
PPTX
Chapter 3
Cahaya Penyayang
 
PPT
Linux Forensics
Santosh Khadsare
 
File carving tools
Marco Alamanni
 
File Carving
Aakarsh Raj
 
Advances in File Carving
Rob Zirnstein
 
File structures
Shyam Kumar
 
Files
kirtidhamija16
 
File organization
Ganesh Pawar
 
Chapter 3
Cahaya Penyayang
 
Linux Forensics
Santosh Khadsare
 

What's hot (19)

PPTX
file system in operating system
tittuajay
 
PPTX
Free Space Management, Efficiency & Performance, Recovery and NFS
United International University
 
PDF
Ntfs forensics
n|u - The Open Security Community
 
PPT
11. Storage and File Structure in DBMS
koolkampus
 
PPTX
File management
Vishal Singh
 
PPTX
Types of files
Amar Jukuntla
 
PPTX
File Management – File Concept, access methods, File types and File Operation
Dhrumil Panchal
 
PDF
File organisation
Suneel Dogra
 
ODT
Operating System Forensics
ArunJS5
 
PPTX
File System Interface
chandinisanz
 
PDF
Ntfs forensics
Malla Reddy Donapati
 
PDF
Workshop 2 revised
peterchanws
 
PPTX
Operating Systems - File Management
Damian T. Gordon
 
PDF
10 File System
Dr. Loganathan R
 
PPTX
physical file system in operating system
tittuajay
 
PPT
Files concepts.53
myrajendra
 
PPT
File Management in Operating Systems
vampugani
 
PPT
Contigious
Ramasubbu .P
 
PDF
File management
Mohd Arif
 
file system in operating system
tittuajay
 
Free Space Management, Efficiency & Performance, Recovery and NFS
United International University
 
Ntfs forensics
n|u - The Open Security Community
 
11. Storage and File Structure in DBMS
koolkampus
 
File management
Vishal Singh
 
Types of files
Amar Jukuntla
 
File Management – File Concept, access methods, File types and File Operation
Dhrumil Panchal
 
File organisation
Suneel Dogra
 
Operating System Forensics
ArunJS5
 
File System Interface
chandinisanz
 
Ntfs forensics
Malla Reddy Donapati
 
Workshop 2 revised
peterchanws
 
Operating Systems - File Management
Damian T. Gordon
 
10 File System
Dr. Loganathan R
 
physical file system in operating system
tittuajay
 
Files concepts.53
myrajendra
 
File Management in Operating Systems
vampugani
 
Contigious
Ramasubbu .P
 
File management
Mohd Arif
 
Ad

Similar to File carving overview (20)

PDF
De-Anonymizing Live CDs through Physical Memory Analysis
Andrew Case
 
PPTX
Unit 5.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
likhithmuthyalu2
 
PDF
Technical Presentation
Naito Watanabe
 
PPTX
Operating system note of File System chapter .pptx
maheshyadav5048
 
PPT
Bin carver
saddamhusain hadimani
 
PPT
Windowsforensics
Santosh Khadsare
 
PPT
File Allocation Methods.ppt
BharathiLakshmiAAssi
 
PDF
Week7-slides
TetsuroIshizuka
 
PDF
Poking The Filesystem For Fun And Profit
ssusera432ea1
 
PPTX
4_5800969115594131708.pptx
Abdisalaammohamud1
 
PPTX
File System.pptx
bcanawakadalcollege
 
PPTX
C) ICT Application
remotestaffdesignsolution
 
PDF
Week7 homework
TetsuroIshizuka
 
PDF
Week7 homework.pptx
TetsuroIshizuka
 
PPTX
Operating System Unit 4(RTU Syllabus).pptx
skultdedsec
 
PPTX
File system
Navin Royal Achakkagari
 
PPTX
Assignment c
Masato Ito
 
PPTX
UNIT III.pptx
YogapriyaJ1
 
PPTX
L12 slides
Ann Bentley
 
PPTX
Unit-1-Lecture-9.pptx file structure semester
NevilDesai8
 
De-Anonymizing Live CDs through Physical Memory Analysis
Andrew Case
 
Unit 5.pptxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
likhithmuthyalu2
 
Technical Presentation
Naito Watanabe
 
Operating system note of File System chapter .pptx
maheshyadav5048
 
Bin carver
saddamhusain hadimani
 
Windowsforensics
Santosh Khadsare
 
File Allocation Methods.ppt
BharathiLakshmiAAssi
 
Week7-slides
TetsuroIshizuka
 
Poking The Filesystem For Fun And Profit
ssusera432ea1
 
4_5800969115594131708.pptx
Abdisalaammohamud1
 
File System.pptx
bcanawakadalcollege
 
C) ICT Application
remotestaffdesignsolution
 
Week7 homework
TetsuroIshizuka
 
Week7 homework.pptx
TetsuroIshizuka
 
Operating System Unit 4(RTU Syllabus).pptx
skultdedsec
 
File system
Navin Royal Achakkagari
 
Assignment c
Masato Ito
 
UNIT III.pptx
YogapriyaJ1
 
L12 slides
Ann Bentley
 
Unit-1-Lecture-9.pptx file structure semester
NevilDesai8
 
Ad

More from Marco Alamanni (6)

ODP
Introduction to memory forensics
Marco Alamanni
 
ODP
Extracting and analyzing browser,email and IM artifacts
Marco Alamanni
 
ODP
Introduction to forensic imaging
Marco Alamanni
 
ODP
Brief introduction to digital forensics
Marco Alamanni
 
PPT
Oracle Database Vault
Marco Alamanni
 
PDF
Trust:concetti generali e teoria formale
Marco Alamanni
 
Introduction to memory forensics
Marco Alamanni
 
Extracting and analyzing browser,email and IM artifacts
Marco Alamanni
 
Introduction to forensic imaging
Marco Alamanni
 
Brief introduction to digital forensics
Marco Alamanni
 
Oracle Database Vault
Marco Alamanni
 
Trust:concetti generali e teoria formale
Marco Alamanni
 

Recently uploaded (20)

DOCX
Greta — No-Code AI for Building Full-Stack Web & Mobile Apps
niloyislam1187
 
PPTX
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
PDF
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
PDF
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
PDF
CCleaner Pro 6.38.11537 Crack Final Latest Version 2025
itskinga12
 
PDF
iTop VPN 6.5.0 Crack + License Key 2025 (Premium Version)
youngle786g
 
PDF
Tally Prime Crack Download New Version 5.1 [2025] (License Key Free
itskinga12
 
PDF
AutoCAD Professional Crack 2025 With License Key
youngle786g
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
iTop VPN Free 5.6.0.5262 Crack latest version 2025
itskinga12
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PDF
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
PPTX
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
PDF
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
PDF
17 Powerful Integrations Your Next-Gen MLM Software Needs
ventaforcemlmsoftwar
 
PDF
Download FL Studio Crack Latest version 2025 ?
ghrom2211g
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Greta — No-Code AI for Building Full-Stack Web & Mobile Apps
niloyislam1187
 
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
Design an Analysis of Algorithms II-SECS-1021-03
DilanEscobar1
 
Salesforce Agentforce AI Implementation.pdf
Robert Mark
 
CCleaner Pro 6.38.11537 Crack Final Latest Version 2025
itskinga12
 
iTop VPN 6.5.0 Crack + License Key 2025 (Premium Version)
youngle786g
 
Tally Prime Crack Download New Version 5.1 [2025] (License Key Free
itskinga12
 
AutoCAD Professional Crack 2025 With License Key
youngle786g
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Designing Intelligence for the Shop Floor.pdf
nikglvk
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
iTop VPN Free 5.6.0.5262 Crack latest version 2025
itskinga12
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
assetexplorer- product-overview - presentation
nonameist3434
 
Digital Systems & Binary Numbers (comprehensive )
fyfhqfhtv2
 
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
Adobe Premiere Pro 2025 (v24.5.0.057) Crack free
ghrom2211g
 
17 Powerful Integrations Your Next-Gen MLM Software Needs
ventaforcemlmsoftwar
 
Download FL Studio Crack Latest version 2025 ?
ghrom2211g
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 

File carving overview

  • 1. Digital forensics with Kali Linux Marco Alamanni Section 4 File carving and data recovery www.packtpub.com
  • 2. In this Section, we are going to take a look at… ● Introduction to file carving: unallocated and slack disk space, deleted files, Recycle Bin. ● File carving tools: Foremost, Scalpel and Photorec. ● Data extraction using Bulk-extractor
  • 3. Course Name Author Name Video 4.1 File carving overview
  • 4. In this Video, we are going to take a look at… ● Introduction to file slack and unallocated space, deleted files and the file carving process. • The Windows Recycle Bin and how to examine it with Rifiuti2.
  • 5. Introduction to slack space ● Smallest addressable data units on filesystems are called blocks or clusters, that are usually 4 KB of size. • Files generally use various blocks, the last block being only partial ly used. • The space left between the end of the file’s data and the end of the block is called slack space. • Slack space can contain hidden data or remnants from previously deleted file.
  • 7. Deleted files and unallocated space ● When a file is deleted, the relative directory entry is removed but the entry in the file’s table remains. • The file’s allocated blocks become unallocated; they are marked as free but not modified until reallocated to other files. • The unallocated blocks’ contents could be recovered using The Sleuth Kit tools or data carving tools
  • 8. Introduction to data carving ● Data carving is the process of identifying and extracting meaningful data out of the unallocated and slack space. • It relies on locating the magic number of a file and copying all the data until the end of file (EOF) marker is not found. • It is straightforward if the file’s data blocks are contiguous, could be challenging if the file is fragmented. • Algorithm for file carving that also handle fragmentation has been developed for data carving tools.
  • 9. The Windows Recycle Bin ● On modern operating systems, deleted files are usually first moved to the Recycle Bin (on Windows) or analogous directory. • These files are permanently deleted if the Recycle Bin is emptied or can be restored in the original location. • On Windows XP and earlier deleted files are placed under C:Recycler subfolders, one for each user, and the relative information are stored in INFO2 index files. • On Windows Vista and newer deleted files are stored under C:$Recycle.Bin subfolders in files that begin with $I and $R.