File carving
Carving ( English for " carving " ) is a method to identify and recover files on storage media without the help of the file system. For this purpose, the raw data stream of the storage medium is searched for characteristic strings like the magic number, or other typical header data structures of known file formats.
It finds application in computer forensics and data recovery. Carving is usually used on storage media with a damaged file system or memory areas which are performed in the existing file system to be free.
Procedures
In order not to have to rely on an area a second time to be able to successfully read is worked in data recovery from damaged media, usually with a previously created memory dump. Classically, is wanted in the raw data stream for sequences that represent a file, and this written again in a separate file. In coming recently in use method, a ( new ) file system is created with an analysis run, the recorded files, and ( again) makes accessible directly on the spot ( "in place" ). The analysis necessary to run can also be combined with the creation of a memory map. In the simplest case is known to file their start and end sequences and all data in a continuous sequence, stored unfragmented. For unknown end sequence is possible that the accurate file size are determined or are trying to locate the end of the basis of an abrupt change in the entropy of the data stream. The biggest problem is the possible fragmentation of files.
Since the carving can not determine a name for found files, either bland generic names are assigned or beyond searched for remains of an original file system to it to restore the original name or by file content, such as embedded metadata will attempt to create meaningful names.