Forensic data recovery is the science and art of retrieving or getting back information from a mobile device, computer, and any other electronic media that was damaged, lost, deleted, or hidden (Casey, 2011). Forensic data recovery is different from other processes of data recovery in terms of the method used, but the results are the same. With forensic data recovery, objectives are laid out from the word go since it is not well examined and adequately dealt with claims can be compromised. Forensic data recovery is unique as it deals with legal matters and therefore needed in court. It is done by specialists who acquire, isolate, and report on electronic evidence and digital media (Breeuwsma et al., 2007).
One of the techniques utilized by forensic data recovery is file carving, which excerpts data from a storage device with no need for the file system that created the file initially. It recovers files and data in an unallocated space with no file information in data recovery (Richard, Roussev, & Marziale, 2007). Unallocated space is the area in the drive, then no longer has any file information. It is most useful when data or file is damaged or goes missing. Most file systems do not entirely remove data when it is deleted; instead, it removes the knowledge of where it is placed. This mechanism reconstructs files by scanning the raw disk bytes and brings them together (Povar & Bhadran, 2010). This involves only a few first and last bytes. Most legal cases that depend on this mechanism are child pornography, where experts recover more images from users’ hard disks.
File recovery is different from file carving. Operating systems currently in the market do not remove a deleted file without requesting confirmation by the user. Deleted files are recovered using forensic programs if the erased file space is not overwritten by another archive. Any file that is damaged is only recoverable if data is not corrupted more than a minimal degree (Cohen, 2007). File recovery and file restoration are different since a backup file stored in an encoded form is restored to its decoded form. File recovery mechanisms use file system information and using this information, many of the deleted or damaged files can be recovered. Whenever information is incorrect, then it cannot work.
File carvings can only work on raw data on the media, and it is not linked with the file system structure. File carving is not concerned with any file systems that are used for storing files. For example, the FAT file system is a file that is deleted then the file directory entry is moved to unallocated space (Povar & Bhadran, 2010). The filename’s first character is substituted with a marker, but the file data itself is left unmoved. The information is present until it is overwritten. All this recovery is possible since file system stores retrieve, and updates files. File carving however has two issues. One is that without a file system the original name of the file cannot be discovered and second when a file is stored in a contiguous chunk which is appropriate for large files this technique is not able to recover the complete file,
- Breeuwsma, M., De Jongh, M., Klaver, C., Van Der Knijff, R., & Roeloffs, M. (2007). Forensic data recovery from flash memory. Small Scale Digital Device Forensics Journal, 1(1), 1-17.
- Casey, E. (2011). Digital evidence and computer crime: Forensic science, computers, and the internet. Academic Press.
- Cohen, M. I. (2007). Advanced carving techniques. Digital Investigation, 4(3-4), 119-128.
- Povar, D., & Bhadran, V. K. (2010, October). Forensic data carving. International Conference on Digital Forensics and Cyber Crime (pp. 137-148). Springer, Berlin, Heidelberg.
- Richard, G., Roussev, V., & Marziale, L. (2007, January). In-place file carving. In IFIP International Conference on Digital Forensics (pp. 217-230). Springer, New York, NY.