Forensic Explorer Data Carving

Does your forensic software data carve 300+ file types out of the box? Can you write custom carving scripts? With Forensic Explorer, you can:

Data Carving

File carving is a well known computer forensics term used to describe the identification and extraction of file types from unallocated clusters using file signatures. A file signature, also commonly referred to as a magic number, is a constant numerical or text value used to identify a file format. The object of carving is to identify and extract (carve) the file based on this signature information alone.

Forensic Explorer offers carving support for more than 300 file types. It also supports layered carving:

Cluster based file carving

In a cluster based file-system like FAT or NTFS a new file must start in a new cluster. It follows then that the file signature appears near a cluster boundary. Carving speed is therefore achieved by searching for file signatures only near cluster boundaries.

Sector based file carving

In certain situations it may be advantageous to perform a lower level search for sector-aligned file signatures. This search may recover additional files, for example files from a previous volume which had a different cluster layout and is no longer aligned to current cluster boundaries.

NOTE: Carving in sector mode will increase the time needed to complete search.

Byte based file carving

In certain situations it may be advantageous to data carve on a byte by byte level. This has the additional benefit of locating files where the file signature is neither aligned with a cluster or sector boundary. A byte based data carve is commonly used when searching for a file within a file (such as within backup file, or when searching an image of a cell phone.

NOTE: Carving in byte mode will increase the time needed to complete the search.

In addition, Forensic Explorer offers a robust pascal scripting engine where data carving scripts can be written. See scripting for more information.