File Carving
Premium roomLearn about the forensic technique known as file carving.
medium
90 min
3,482
To access material, start machines and answer questions login.
Introduction
is a vital technique in digital forensics, bridging the gap between low-level storage analysis and the recovery of critical evidence. When file systems like , FAT32, or ext4 fail to provide precise metadata—whether due to deletion, corruption, or intentional tampering, steps to extract files based on their structure and content.
Building on foundational concepts like structures, volume and partition analysis, and filesystem behaviour, this module immerses learners in practical scenarios where uncovers the hidden, deleted, or fragmented. This sets the stage for mastering both manual and automated recovery techniques.
Learning Objectives
By the end of this room, you will have covered the following objectives and understand how carving integrates into broader forensic and incident response processes.
- Recap the details of file systems and identify file signatures.
- Understand the role of in forensic investigations.
- Perform manual and automated and extract files based on identified signatures and file structures.
- Recover files from diverse storage environments, such as , memory dumps, and reformatted drives.
Prerequisites
To embark on this room, having a solid grasp of the following concepts is recommended.
Connection to the Machine
In this room, we will use an Ubuntu virtual machine with the forensics analysis tools required installed. You can start the machine by clicking the Start Machine button above. The VM will take approximately 2 minutes to boot up and open in split-view. If the VM is not visible, use the blue Show Split View button at the top of the page.
Note: This room contains a non-guided challenge in Task 6.
Story
A mid-sized tech company, DataSyncTHM Solutions, has been acquired by a larger conglomerate, IntegriTech Inc. The acquisition is set to merge technologies and operational data. During the transition, IntegriTech suspects that the R&D department at DataSync may have mishandled proprietary information during the acquisition. Key areas of concern include:
- Critical files that appear to have been intentionally deleted.
- Hidden data is suspected to be embedded or concealed on company storage drives.
- The use of unconventional storage practices to obscure proprietary information.
As the forensic investigator, your role is to recover, analyse, and interpret data to determine what might have been tampered with. You’ll use manual and automated carving methods to locate and retrieve data from various sources, including formatted drives, , and memory dumps.
I am ready to embark on a file carving quest.
Ready to learn Cyber Security?
The File Carving room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.
Already have an account? Log in