by Yuri Gubanov, Danil Nikolaev & Igor Mikhailov © Belkasoft Research

Carving is an irreplaceable technique widely used in data recovery and digital forensics. By using carving, we essentially perform a low-level scan of media for various artifacts, looking for signatures—specific sequences of bytes, characteristic of different types of data.

This also means that carving disregards files themselves in performing the byte sequence search, thus becoming extremely helpful in cases where data has been corrupted or deleted. However, its usefulness is not limited to one particular scenario. Let us take a look at various cases where carving comes in handy.

Renamed, relocated, hidden data

We talked briefly about using carving to find hidden, renamed, and relocated data in our whitepaper about countering common anti-forensic efforts. Since carving does not take into account the file itself, it does not care about its name and location either. Therefore, by performing carving…