Carving (data recovery)
Carving is a method of identifying and restoring files on storage media without the aid of the file system. For this purpose, the raw data stream of the storage medium is searched for characteristic character strings such as a magic number or other typical header data structures of known file formats .
It is used in IT forensics and for data recovery . As a rule, carving is used on storage media with a damaged file system or for storage areas that are listed as free in the existing file system.
Procedures
In order not to have to rely on being able to successfully read out an area a second time, data recovery from damaged media is usually carried out with a previously created memory image. Classically, the raw data stream is searched for sequences that represent a file and these are then written to a separate file. In the case of methods that have recently come into use, an analysis run is used to create a (new) file system that records files and makes them accessible (again) directly on the spot ("in place"). The analysis run required for this can also be combined with the creation of a memory image. In the simplest case, the beginning and end sequences of a file are known and all data is stored in a continuous sequence, unfragmented. If the end sequence is unknown, the exact file size can be determined or an attempt can be made to locate the end by means of a sudden change in the entropy of the data stream. The biggest problem is the possible fragmentation of the files.
Since the carving cannot determine any names for files found, either meaningless generic names are assigned or what remains of an original file system is searched for in order to restore the original name or to try to create meaningful names based on file contents such as embedded metadata .
See also
Web links
- Ralf Spenneberg: Carved yourself: Carving tools track down files without knowing the file system . In: Linux Magazin , June 2008.
Individual evidence
- ↑ LibCarvPath and CarvFS are examples of an implementation of in-place carving software.
- ↑ The Open Data Duplicator from the ODESSA Suite is capable of carving analysis while creating a memory image.
- ↑ Archived copy ( memento of the original from October 18, 2008 in the Internet Archive ) Info: The archive link was inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice.
