When a file is only partially recovered, regardless of the file system, you can use file carving to attempt to recover the file. File carving is often used to recover data from a disk where there has been some damage or where the file itself is corrupt. This is a common method of data recovery, particularly when the file metadata has been damaged. Sometimes this is just called “carving.” Regardless of the name used, the purpose is to extract the data from a single file from the larger set of data, that is, the entire disk or partition.

Most file carving utilities operate by looking for file headers and/or footers, and then pulling out the data that is found between these two boundaries. One popular file carving tool is Scalpel, which was discussed previously in this chapter; another is carver-recovery. carver-Recovery is a free tool that also includes the source code for you to modify if you wish. It contains several utilities. The carver-recovery.exe, simply allows you to select a drive image, and it will attempt to recover files. This is a broad-based tool for attempting to recover from an entire drive or partition.

Obviously, to effectively use file carving, one needs to be familiar with file headers and footers. It is beyond the scope of this text to discuss all file headers, but the hexadecimal values for some common files are shown here:

• JPEG—FF D8

• BMP—42 4D

• EXE—4D 5A

• GIF—47 49

• MP3—49 44

• PDF—25 50

• ZIP—50 4B

• PNG—89 50

• WAV—52 49

• AVI—52 49