Research Article
Forensic Data Carving
@INPROCEEDINGS{10.1007/978-3-642-19513-6_12, author={Digambar Povar and V. Bhadran}, title={Forensic Data Carving}, proceedings={Digital Forensics and Cyber Crime. Second International ICST Conference, ICDF2C 2010, Abu Dhabi, United Arab Emirates, October 4-6, 2010, Revised Selected Papers}, proceedings_a={ICDF2C}, year={2012}, month={5}, keywords={Cyber Forensics Data Carving Slack Space Lost and Unallocated Clusters}, doi={10.1007/978-3-642-19513-6_12} }
- Digambar Povar
V. Bhadran
Year: 2012
Forensic Data Carving
ICDF2C
Springer
DOI: 10.1007/978-3-642-19513-6_12
Abstract
File or data carving is a term used in the field of Cyber forensics. Cyber forensics is the process of acquisition, authentication, analysis and documentation of evidence extracted from and/or contained in a computer system, computer network and digital media. Extracting data (file) out of undifferentiated blocks (raw data) is called as carving. Identifying and recovering files based on analysis of file formats is known as file carving. In Cyber Forensics, carving is a helpful technique in finding hidden or deleted files from digital media. A file can be hidden in areas like lost clusters, unallocated clusters and slack space of the disk or digital media. To use this method of extraction, a file should have a standard file signature called a file header (start of the file). A search is performed to locate the file header and continued until the file footer (end of the file) is reached. The data between these two points will be extracted and analyzed to validate the file. The extraction algorithm uses different methods of carving depending on the file formats.