Forensic Data Recovery: Data Carving, File Signature Search, Analysis and Reporting

Dive deep into the world of forensic disk analysis with this comprehensive guide. Whether you’re new to the field or an experienced investigator, you’ll gain valuable insights into mastering forensic disk analysis techniques. We explore insider secrets, expert strategies, and step-by-step approaches to enhance your forensic analysis skills and uncover hidden truths within digital evidence.

Forensic Data Recovery: Data Carving, File Signature Search, Analysis and Reporting

Aspect Description
Definition Forensic data recovery involves retrieving deleted, corrupted, or hidden data for legal, investigative, or security purposes.
Purpose To uncover digital evidence for legal cases, criminal investigations, or corporate audits.
Key Features
  • Preservation of data integrity.
  • Adherence to legal standards for evidence collection.
  • Analysis of metadata for timestamps and user activity.
Methods
  • Disk imaging for creating exact replicas of storage devices.
  • Signature-based search to identify specific file types.
  • Advanced recovery tools to extract data from damaged or encrypted drives.
Challenges
  • Encrypted or overwritten data.
  • Admissibility of evidence in court.
  • Data recovery from physically damaged devices.
Tools Used
  • EnCase Forensic.
  • FTK (Forensic Toolkit).
  • Autopsy Digital Forensics.
Target Audience Law enforcement, corporate investigators, cybersecurity experts, and legal professionals.

Forensic Analysis: the Requirements

Forensic application of data recovery techniques lays certain requirements upon developers. Sometimes the requirements are similar to those observed by the developers of data recovery tools. Sometimes, however, the requirements differ enough to be mentioned.

Go to view
How to View User’s Logins and Passwords Saved in a Browser for Facebook, Twitter, Instagram

How to View User’s Logins and Passwords Saved in a Browser for Facebook, Twitter, Instagram

Requirement 1. Read-only operation

In data recovery business, read-only operation is essential to preserve as much original information as possible. During a forensic investigation, ensuring that no single bit is changed on the disk being analyzed is a matter of formal procedure. Information altered during the investigation may not be admissible in the court. For this reason, investigators often use certified write blocking hardware preventing any attempt to write anything onto the disk being analyzed. This level of precaution costs money, and it’s simply not required during an ordinary data recovery job.

Requirement 2. Virtual disk images

The use of virtual disk images (bit-precise copies of the entire content of the device) are an optional safety measure in data recovery. Most forensic specialists, however, will make a disk snapshot first, and continue investigation using that captured image. Image formats are also different between data recovery and forensic applications. Most data recovery tools will capture either compressed or uncompressed raw dump, while forensic tools follow industry standards, capturing (and analyzing) images in formats such as Ex01, DD and SMART.

Requirement 3. Logging and reporting

During the investigation, forensic specialists have to document their every step. Forensic data recovery tools create extremely thorough reports documenting every little step. Commercial data recovery tools will normally create a brief report outlining which files were recovered, and which ones weren’t. That would not be enough for a court, so forensic tools will also list the exact location (list of physical sectors) of each file obtained with a tool in order to ensure verifiability and repeatability of the process.

Requirement 4. Signature-search vs. file carving

Commercial data recovery tools employ a range of content-aware search algorithms implementing one or another variation of common signature search. These technologies allow extracting missing files from hard disk drives with damaged or missing file systems, unreadable, formatted and repartitioned devices. For instance, for *.docx and *.xlsx files, it’s “50 4B”. Further analysis of the file header helps calculate its length. Many forensic tools do the same. Such algorithms have their limitations.

Go to view
How to View User’s Logins and Passwords Saved in a Browser for Facebook, Twitter, Instagram 🕵️🔍🔐

How to View User’s Logins and Passwords Saved in a Browser for Facebook, Twitter, Instagram 🕵️🔍🔐

For example, they cannot recover fragmented files (if the corresponding file system record is missing or partition table is damaged). However, certain evidence might just be too valuable to let it slip. For these files, forensic analysts may employ a semi-automatic process called ‘carving’. The carving process attempts to identify the beginning of a file (usually a JPEG or a document), and then re-assemble the file from multiple individual fragments in a process similar to matching pieces of a puzzle. The carving process can be extremely time-consuming and labor-intensive. It does not automate well, so it’s only applied on individual basis.

What is recovered?

Unlike commercial data recovery tools, forensic tools will normally recover what’s considered to be worthy as evidence. This may differ a lot from what is considered valuable to the computer user. For example, forensic investigators are interested in browsing history databases and cache files, Windows registry files, conversation and chat histories maintained by Skype, ICQ and similar applications; page files and hibernation files, as these may contain additional evidence. Pictures and videos to analyze for illegal content, and documents to analyze for sensitive information. As you can see, except for pictures and documents, investigators’ interests correlate very loosely with what an ordinary computer user considers valuable information.

Go to view
How to Recover Data After Formatting, Deleting or Creating Partitions in 2020 📁🔥⚕️

How to Recover Data After Formatting, Deleting or Creating Partitions in 2020 📁🔥⚕️

Analysis and reporting

Forensic analysis is all about reporting. Thorough analysis of what’s been discovered on the disk is often a major part of a forensic package. Forensic analysis tools will keep up working well past the point a commercial data recovery tool has left off. Forensic tools will parse history databases, extract and scrutinize chats and conversations; analyze browsing history and re-create suspect’s online behavior. In fact, only a small part of a typical forensic tool is responsible for actually recovering information; the rest is dedicated to analytics. Major forensic tools such as Guidance EnCase, AccessData FTK, Belkasoft Evidence Center, Oxygen Forensic Toolkit and others deliver powerful analytics along with data recovery capabilities.

Any discovery made by the investigator must be properly reported, so the reporting module will wrap up the discoveries, producing a brief yet comprehensive text-based report. Many more features are related to some very specific analysis and reporting.

Go to view
How to Restore Deleted History, Sent Files, Contacts and Password in Skype ⚕️💬🔑

How to Restore Deleted History, Sent Files, Contacts and Password in Skype ⚕️💬🔑

Conclusion

Forensic disk analysis tools make use of some of the most advanced data recovery algorithms. However, data recovery is not their specialty. An ordinary computer user will be much better served by a commercial data recovery tool, which will extract more information from the disk that’s going to be of value to the user – and not to the investigator.

Oleg Afonin

Author: , Technical Writer

Oleg Afonin is an expert in mobile forensics, data recovery and computer systems. He often attends large data security conferences, and writes several blogs for such resources as xaker.ru, Elcomsoft and Habr. In addition to his online activities, Oleg’s articles are also published in professional magazines. Also, Oleg Afonin is the co-author of a well-known book, Mobile Forensics - Advanced Investigative Strategies.

Vladimir Artiukh

Editor: , Technical Writer

Vladimir Artiukh is a technical writer for Hetman Software, as well as the voice and face of their English-speaking YouTube channel, Hetman Software: Data Recovery for Windows. He handles tutorials, how-tos, and detailed reviews on how the company’s tools work with all kinds of data storage devices.

Recommended For You

Hello! This is AI-based Hetman Software virtual assistant, and it will answer any of your questions right away.
Start Chat