Carving files, which can be performed manually or through an automated process, permits the recovery of a portion of a corrupted or deleted file. During a computer investigation, examiners may encounter deleted files that cannot be fully recovered. However, enough of the file may still be intact and worth restoring.
For example, if a deleted Microsoft Word document called ”sales report.doc” contains the keywords ”Mr. Smith, Bonus,” but the file cannot be viewed, then it is most likely damaged. Even though not enough of the file is intact to be opened, it may still be possible to carve the useful content. Using specialized software, such as Encase, FTK, WinHex, ProDiscover and several others, it may be possible to locate, restore and even repair damaged or overwritten files.
Many file types can be identified by using what’s known as a file header. A file header is a ‘signature’ placed at the beginning of a file, so the operating system and other software know what to do with the following contents.
Many electronic discovery applications will use the file header as a means to verify file types. The common fear is if a custodian changes a files extension or the file wasn’t named using an applications default naming convention, that file will be missed during electronic discovery processing. For example, if I create a Microsoft Word document and name it ‘myfile.001’, instead of ‘myfile.doc’ and then attempt to locate all Microsoft Word files at a later date, I would miss the file if I were looking for all files ending in ‘.doc’. There are specific file extensions associated with the native application.
During a computer forensic investigation file headers are extremely valuable because they allow us to locate the contents of deleted files, user activity logs, registry entries, and other relevant artifacts. For example, if I’m investigating a custodian hard drive for evidence that they were working for a competing company I would want to recover their file activity records. A large number of custodian activity records are often already purged or deleted. By scanning a computers hard drive for the signature related to user activity records we often recover relevant artifacts (file access records) up to several years after they were deleted.