When a file is deleted, the file system entry that maps the filename to the data on disk is removed. But the actual data often remains in storage, marked as “available” but not yet overwritten.

File carving is the technique of recovering these files based on their content — specifically, recognizable byte patterns at the start (and sometimes end) of different file types — without relying on the file system index.

How File Carving Works

Every common file type has a signature — a specific sequence of bytes that appears at the start of the file. These are called “magic bytes” or file headers. For example:

  • JPEG: `FF D8 FF E0` or `FF D8 FF E1`
  • PNG: `89 50 4E 47 0D 0A 1A 0A`
  • PDF: `25 50 44 46` (“%%PDF”)
  • ZIP/Office files: `50 4B 03 04`
  • MP4/MOV: `00 00 00 XX 66 74 79 70` (ftyp box)
  • EXE (Windows): `4D 5A` (“MZ”)

    • A file carver scans raw storage — byte by byte — looking for these signatures. When it finds one, it begins extracting data from that point for a defined length or until it finds a known footer (end signature).

    Types of File Carving
    Each evidence source provides a different perspective on digital activity, strengthening forensic conclusions when correlated.

    Types of File Carving

    Header-only carving: Identifies the file start but relies on file length or a heuristic to determine where the file ends. Works well for fixed-format files.

    Header/footer carving: Identifies both the start and end of the file. More precise for file types with defined footers (JPEG uses `FF D9` as a footer). Fails when fragments from multiple files occur in the same area.

    Fragment recovery / bifragment carving: Attempts to reconstruct files that are fragmented across non-contiguous sectors. Significantly more complex. Tools like Foremost and Scalpel don’t handle this well; specialized tools are needed.

    File Carving Tools

    Foremost: Classic open-source Linux tool. Command-line, defines file types in a configuration file. Fast but no fragmentation support.

    Scalpel: Improved version of Foremost with better performance and configurability.

    PhotoRec: Despite the name, recovers far more than photos — 480+ file types. Works on drives, memory cards, USB drives, and RAM images. Cross-platform, free.

    Autopsy / The Sleuth Kit: Open-source forensic platform that includes file carving as one of its modules. Produces results in a GUI with case management.

    Magnet AXIOM: Commercial forensic platform with built-in carving capabilities. Integrates carving results with other artifact analysis.

    Bulk Extractor: Scans for patterns beyond standard files — email addresses, URLs, phone numbers, credit card numbers — from raw storage.

    What File Carving Can and Can't Do
    Forensic analysis requires systematic documentation and cross-referencing of multiple artifact sources.

    What File Carving Can and Can’t Do

    Can recover:

  • Deleted photos and videos from unallocated space
  • PDF documents deleted from storage
  • Archived files (ZIP, RAR)
  • Office documents
  • Executable files
  • Database fragments

    • Limitations:

  • No filename recovery: Carved files have no name — they’re named by sequence number (file0001.jpg, file0002.jpg)
  • No timestamp recovery: The original creation and modification dates come from the file system, which no longer exists for carved files
  • Fragmentation: If a large file was fragmented across non-contiguous sectors, carving usually recovers only the first fragment
  • Overwritten data: If new files were written over the deleted file’s location, the old data is gone
  • Encrypted files: Carved files from encrypted storage are encrypted — carving recovers the encrypted ciphertext, not the plaintext

    • File Carving in Practice

    In a typical investigation, file carving runs against:

  • The unallocated space of a forensic disk image
  • Slack space (space between the end of a file’s data and the next sector boundary)
  • Swap files and hibernation files
  • RAM images

    • The output is reviewed by the examiner to identify relevant files. In a large drive carve, thousands of images may be recovered — many are web cache images, ad banners, and thumbnails. Triage tools sort and categorize carved output to reduce review time.

    FAQ: File Carving

    Q: If I overwrite deleted files with a “shredder” tool, can carving still recover them?
    A: No. Shredder tools write random data to the sectors occupied by deleted files, destroying the original file content. Carving recovers data from unallocated space only when it hasn’t been overwritten.

    Q: Can file carving work on SSDs?
    A: Yes, but with lower success rates. SSDs implement TRIM, which signals the drive to zero sectors marked as free. When TRIM runs (which can happen immediately or in background), deleted file data is erased and carving finds nothing. HDDs don’t zero free space automatically, making them much better candidates for carving.

    Q: Does file carving work on mobile devices?
    A: Yes, when a physical image of the device’s NAND storage is acquired. Carving mobile device images follows the same principles as carving hard drives.

    Q: How long does a typical forensic examination take?
    A: Timelines vary based on data volume and case complexity. A single device may take one to three days; multi-device investigations can span weeks.

    Q: What certifications should a digital forensics examiner hold?
    A: Common certifications include EnCE, CFCE, CCE, and GCFE. Relevance depends on the examination type and the jurisdiction’s expectations.

    Case Example

    In a civil dispute, one party alleged digital evidence had been altered after a preservation obligation arose. The forensic examiner compared file system metadata against the litigation timeline and found several files modified after the preservation letter was received. A system cleanup utility had been run during the same period. The examiner documented the specific artifacts indicating post-preservation modifications, distinguishing between routine system operations and deliberate user actions, providing the court with a factual basis for evaluating the spoliation claim.

    Practitioner Takeaways

    See also: Log File Analysis | Iphone Logical Vs Full File System Acquisition | Imessage Database Schema Court Presentation

    Need Professional Digital Forensics?

    Octo Digital Forensics provides expert mobile forensics, data recovery, and digital investigation services for attorneys, insurance companies, and private investigators. Court-admissible reports. Certified examiners.

    Contact: octodf.com | info@derickdowns.com | (858) 692-3306