Before we start, it's important to note that PhotoRec supports disk images: not only RAW, but also E01. As we are carving data for forensic purposes, let's use an E01 image that we acquired in one of the previous recipes.

1. Start the Windows Command Prompt from an account in the Administrator group, and change the directory to testdisk-7.0. Use the following command:

         photorec_win.exe X:52.E01

2. Make sure you typed the path to the image you acquired, as it can have a different name and location.
3. The first dialog box that you see is 'Select a media'. In our case we are dealing with an E01 image, so we have only one option, and all we need to do is press Enter to proceed.

4. Now we have the Partition selection dialog box. In our case, we have only one partition of unknown type - a perfect example for file carving.

5. Also, four options are seen at the bottom:

• • Search - to start recovery
  • Options - to modify recovery options
  • File Opt - to modify file types to be recovered
  • Quit - to cancel recovery

6. Let's go to Options. Here, we have the following:

• • Paranoid - if enabled, verifies recovered files, and invalid files are rejected. Another option here, bruteforce, if enabled, tries to recover fragmented JPG files.
  • Keep corrupted files - if enabled, keeps invalid files. Use it if you want to try to repair them with other tools.
  • Expert mode - if enabled, allows an examiner to force the block size and the offset.
  • Low memory - use it if your workstation doesn't have enough memory to avoid recovery crashes.

7. Now let's check File Opt. Here, we have a long list of file types supported by the tool. Use the s button to check all file types or to disable all. Use spacebar if you want to enable or disable some of the types. To save changes use b.

Now we have looked through the available options, and are ready to start recovery.

8. Choose Search and press Enter. It's time to choose the file system type. We know that there are only two options, and that there are no EXT partitions on our image, so we choose Other.
   

9. Now we need to choose the destination path for the files being recovered. We recommend creating one before starting the file carving process. In our case, the destination folder is X:52-Carved, as you can see in the following figure:

10. Use the C button to start the file carving process.
11. Once the process is finished, you will have one or more folders (recup_dir.1, recup_dir.2...) with recovered files. It's important to note that these folders can be accessed before the recovery is finished.