File carving is an extremely useful method in forensics because it allows for data that has been deleted or hidden to be recovered for analysis. In simple terms, file carving is the process of reassembling files from fragments in the absence of file system metadata. In file carving, specified file types are searched for and extracted across the binary data to create a forensic image of a partition or an entire disk. File carving recovers files from the unallocated space in a drive based merely on file structure and content, without any matching file system metadata.

Files can be recovered or reconstructed by scanning the raw bytes of the disk and reassembling them. This can be done by examining the header (the first few bytes) and footer (the last few bytes) of a file.

File-carving methods are categorized based on the underlying technique in use. The header-footer carving method relies on recovering the files based on the header and footer information. For instance, the JPEG files start with 0xffd8 and end with 0xffd9. The locations of the header and footer are identified and everything between those two endpoints is carved. Similarly, the file structure carving method is based on the internal layout of a file to reconstruct the file. But the traditional file carving techniques, such as the ones we've already explained, may not work if the data is fragmented. To overcome this, new techniques such as smart carving use the fragmentation characteristics of several popular file systems to recover the data.

Once the phone is imaged, it can be analyzed using tools such as PhotoRec. PhotoRec is a powerful free utility to carve files. This tool analyzes the block database storage, identifies the deleted files, and recovers them. Scalpel is file system-independent and is known to work on various file systems including EXT4, exFAT, FAT32, and more. The following steps explain how to recover files using PhotoRec on a Windows workstation:

1. Download the tool from https://www.cgsecurity.org/wiki/TestDisk_Download. Unpack the archive in the directory of choice.
2. Open Command Prompt with Administrator privileges and run photorec.exe with the Android physical image as an argument.

3. Choose the partition you want to carve data from, in our case it's USERDATA. This is shown in the following screenshot:

4. If you want only exact file types to be carved, go to File Opt. In our case, we were only interested in JPG images, so we chose only one file type, as shown in the following screenshot:

5. Choose the file system type, in our case it's EXT4, as shown in the following example:

6. Now, you should choose whether the tool should carve only free space or the whole partition. The second option will bring you more data, but it will be mixed with files those are not deleted. These choices can be seen in the following example:

7. Finally, choose the folder where the recovered files will be stored. You can use arrow keys to do this, and then press C, as shown in the following screenshot:

Recovered files will be saved under the subdirectories of the chosen directory named recup_dir.