File carving is one of the most misunderstood techniques in digital forensics. Many analysts assume it functions as an automatic recovery solution: point a tool at a drive, press run, and retrieve everything that was deleted. The reality is more demanding. The role of file carving forensics is to recover data when file system metadata is absent, corrupted, or deliberately wiped, operating entirely on raw binary content. It is precise, powerful, and prone to producing noise that can mislead an investigation if the output is not rigorously validated. This article covers how it works, where it fails, and how to use it correctly.
Table of Contents
- Key takeaways
- The role of file carving forensics in evidence recovery
- File carving techniques and the fragmentation problem
- Forensic workflow and validating carved output
- Emerging techniques: AI and distributed carving
- Choosing the right file carving tool
- My take on carving as a forensic discipline
- How Makkarisecurity supports complex carving investigations
- FAQ
Key takeaways
| Point | Details |
|---|---|
| Metadata-agnostic recovery | File carving scans raw disk sectors, bypassing file system tables entirely to recover deleted or hidden data. |
| Fragmentation is the core challenge | Classical carving tools struggle with fragmented files; advanced and AI-assisted methods significantly improve accuracy. |
| Validation is non-negotiable | Carved files must be verified against structural rules and content checks before being treated as evidence. |
| Tool selection matters | No single tool suits every scenario; matching the tool to the investigation type reduces false positives and processing time. |
| AI is reshaping the field | Machine learning models now achieve up to 95% accuracy reconstructing fragmented files, changing what is recoverable. |
The role of file carving forensics in evidence recovery
File carving operates on a deceptively simple principle. When a file is deleted, the file system typically removes the pointer to that file, not the data itself. The sectors containing the file's content remain on disk until overwritten. Carving tools scan those sectors sequentially, searching for known byte sequences that mark the start and end of specific file types. These are called magic bytes or file signatures, and every common format has them. A JPEG begins with "FF D8 FFand ends withFF D9. A PDF starts with %PDF`. The tool identifies these boundaries and extracts the content between them.
The metadata-agnostic nature of this process is what makes carving indispensable. When a file system's Master File Table (MFT) on NTFS or File Allocation Table (FAT) entries are corrupted, ransomware-encrypted, or wiped by a threat actor, traditional file system parsing fails entirely. Carving bypasses those structures and works directly with the raw data. This makes it the last viable recovery method in many breach investigations.
The forensic value extends well beyond recovering deleted documents or images. Carving can reconstruct deleted Windows Event Log files (EVTX), which record critical system activity. One practical technique involves carving 64KB blocks from disk images specifically to reconstruct those logs, recovering a timeline of attacker activity that would otherwise be invisible.
From an evidentiary standpoint, carving must be performed on a verified forensic image, never on the live drive. The chain of custody depends on it. Key considerations include:
- Acquiring a bit-for-bit image using tools such as
ddor formats like E01 before any carving begins - Documenting hash values of the image before and after carving to prove the source was not modified
- Targeting unallocated space specifically, rather than carving the entire image, to reduce processing time and limit scope
- Recording every tool used, every configuration applied, and every output generated
File carving techniques and the fragmentation problem
Classical signature-based carving works well for contiguous files. The tool finds a header, scans forward until it encounters the corresponding footer, and extracts everything in between. Tools like Scalpel and PhotoRec are effective in this scenario and remain the workhorses of many forensic labs. Scalpel allows precise configuration of signature patterns, making it well suited to targeted investigations where you know what file types are relevant. PhotoRec, despite its name, recovers far more than photographs and supports hundreds of file formats out of the box.
The problem arises with fragmentation. Modern operating systems do not always write files contiguously. A large video file might be split across dozens of non-adjacent clusters. Signature-based carving finds the header and then either extracts a corrupted partial file or, worse, extracts data from an unrelated file that happened to start where the footer should have been. The result is a false positive: a file that looks valid but contains meaningless or misleading content.
Advanced techniques address this in several ways:
- Structure-aware carving analyses the internal format of a file type rather than relying solely on header and footer positions. For JPEG files, this means verifying that the extracted data contains valid Huffman tables and quantisation matrices, not just the right start and end bytes.
- Entropy filtering measures the randomness of data blocks. Encrypted and compressed content produces high entropy, which distinguishes it from plaintext. Combining signature and entropy analysis reduces false positives and sharpens boundary detection.
- Semantic carving goes further by using statistical models to classify block content, grouping fragments that likely belong together before attempting reconstruction.
Anti-forensics techniques compound these challenges. Threat actors increasingly use tools that overwrite file headers specifically to defeat signature carving, or store data in formats that produce ambiguous signatures. Recognising these patterns is as important as knowing how the carving tools work.
Pro Tip: When carving a drive where anti-forensics activity is suspected, run an entropy scan across unallocated space before configuring your carving tool. Clusters of high-entropy blocks in unexpected locations often indicate encrypted data stores or deliberate obfuscation worth investigating manually.
Forensic workflow and validating carved output
The practical workflow for file carving in a professional investigation follows a clear sequence, but the step most analysts underinvest in is validation. Producing thousands of carved files is straightforward. Determining which of them are genuine, relevant, and admissible is the actual work.
Carving must be performed on forensic images rather than live drives, and targeting unallocated space specifically keeps processing focused and defensible. A triage approach helps further: carve only the file types relevant to your investigation hypothesis rather than running every signature in the tool's catalogue.
Validation steps that should be applied to every carved output include:
- Header validation: Confirm the file's internal structure matches its claimed type. A JPEG with an invalid Start of Frame marker is not a JPEG.
- Length checks: Compare the extracted file size against the expected range for that file type. A 2GB PNG is almost certainly a false positive.
- Content consistency: For documents, verify that internal metadata fields (creation date, author, application version) are coherent and plausible.
- YARA rule matching: Apply targeted YARA rules to identify files containing keywords, patterns, or artefacts relevant to the investigation. This is particularly useful when carved files lack original filenames or directory paths.
- Keyword searching: Run index searches across carved output to surface relevant content without manually reviewing every file.
The absence of original filenames and paths is one of the most underappreciated challenges in carving. The tool recovers content, not context. An analyst examining thousands of recovered files with generic names like file0001.jpg must use YARA rules, keyword searches, and manual review to establish relevance. That interpretive responsibility sits with the analyst, not the tool. Ensuring this process is documented for court admissibility is equally critical.
Pro Tip: On large-scale investigations involving drives over 2TB, pre-filter unallocated blocks by entropy before running your carving tool. This alone can reduce the volume of data processed by 40 to 60 percent, cutting both time and storage requirements significantly.
Emerging techniques: AI and distributed carving
The most significant development in file carving over the past three years is the application of machine learning to fragment reassembly. Classical tools fail on fragmented files because they have no way to determine which blocks belong together. AI models approach this differently. They classify individual blocks by content type and then group fragments probabilistically based on learned patterns.
| Approach | Fragmented file accuracy | Processing speed | Best use case |
|---|---|---|---|
| Signature-based (classical) | Low to moderate | Fast | Contiguous files, known formats |
| Structure-aware carving | Moderate | Moderate | Format-rich investigations |
| Entropy filtering | Moderate | Fast | Encrypted/compressed data detection |
| AI and deep learning | Up to 95% | Slower (GPU-dependent) | Heavily fragmented or overwritten data |
| Distributed/parallel carving | Variable | Very fast | Large-scale investigations (100TB+) |
AI models such as Carve-DL, which use architectures like Swin Transformer and ResNet, achieve approximately 95% accuracy on fragmented file reconstruction. That is a step change from classical methods. For investigations involving heavily overwritten drives or sophisticated threat actors who have deliberately fragmented data, this capability is no longer optional.
Large-scale investigations involving 100TB or more of data require parallel and distributed carving approaches. Splitting the image across multiple processing nodes and applying entropy filtering to focus on relevant blocks makes the difference between a week-long processing run and an overnight one. This is where forensic infrastructure, not just tool selection, becomes a competitive factor.
Carving volatile memory and cloud snapshot analysis represent the frontier. Memory carving can recover process artefacts, network connection tables, and encryption keys that never touch disk. Cloud snapshots, when accessible, can be carved using the same techniques applied to disk images, opening recovery options in environments where traditional disk forensics is impossible.
Choosing the right file carving tool
No single tool is the right choice for every investigation. The decision depends on the file types you are targeting, the degree of fragmentation you expect, the scale of the dataset, and whether the output needs to meet court admissibility standards.
| Tool | Strengths | Limitations | Best scenario |
|---|---|---|---|
| PhotoRec | Broad format support, open-source, fast | Limited configurability, no validation features | Quick triage, broad recovery |
| Scalpel | Highly configurable signatures, targeted carving | Requires manual signature setup, no AI support | Targeted investigations, known file types |
| Foremost | Simple configuration, reliable on contiguous files | Poor fragmented file handling | Small drives, straightforward cases |
| Belkasoft Evidence Centre | GUI-driven, validation features, integrated analysis | Commercial cost, Windows-only | Enterprise investigations, court-bound cases |
PhotoRec's broad file type support makes it the default starting point for many analysts, but its lack of validation features means the output requires significant manual review. Scalpel's configurability is its strength. You define exactly which signatures to search for, which reduces noise considerably when you know what you are looking for.
For enterprise-scale investigations where output must be court-admissible, a commercial platform with integrated validation and reporting is worth the investment. The forensic capabilities required for large, complex cases go beyond what open-source tools provide out of the box, particularly around chain of custody documentation and structured output for legal review.
Key selection criteria for any investigation:
- Does the tool support the file types relevant to this case?
- Can it handle fragmented files, or will you need a secondary AI-assisted tool?
- Does it produce structured, auditable output suitable for court?
- What platform does it run on, and do you have the processing resources to support it?
My take on carving as a forensic discipline
I have reviewed investigations where analysts submitted hundreds of carved files as potential evidence without applying a single validation step. The files had the right extensions, the right headers, and absolutely no evidentiary value. Some were fragments of unrelated data that happened to match a signature. A few were outright false positives that could have misled the investigation entirely.
File carving is a surgical tool. It requires the analyst to understand not just how to run the tool, but how to interpret what comes out of it. The importance of file carving in forensic work is not in the volume of files it produces. It is in the quality of what survives validation.
What I have found consistently is that the analysts who use carving most effectively treat the output as a starting point, not a conclusion. They apply YARA rules, they check internal structure, they cross-reference recovered artefacts against other evidence sources. They ask whether a recovered file makes sense in the context of the investigation before it goes anywhere near a report.
The rise of AI-assisted carving is genuinely useful, but it introduces a new risk: over-reliance on accuracy statistics. A 95% accuracy rate on fragmented reconstruction still means one in twenty files is wrong. In a set of ten thousand carved files, that is five hundred errors. Validation remains the analyst's responsibility regardless of how sophisticated the tool is.
— Luke
How Makkarisecurity supports complex carving investigations
When an investigation requires more than a standard carving run, the depth of forensic expertise behind the process becomes the deciding factor.
Makkarisecurity's DFIR team handles large-scale, court-admissible forensic investigations across the UK, Gibraltar, and Europe. From targeted file recovery in forensics to full incident response engagements, the team applies rigorous validation workflows to every carved output, ensuring that recovered evidence holds up under legal scrutiny. Whether you need breach counsel support for admissibility guidance or a full forensic examination of compromised storage, Makkarisecurity brings both the technical capability and the evidentiary rigour your case requires. Contact the team to discuss your investigation.
FAQ
What is file carving in digital forensics?
File carving is a data recovery technique that scans raw disk sectors for known file signatures, recovering files without relying on file system metadata. It is used when file system records are corrupted, deleted, or deliberately wiped.
Why does file fragmentation make carving difficult?
When a file is stored across non-adjacent disk sectors, classical signature-based tools cannot reliably identify which blocks belong together, leading to corrupted output or false positives. Advanced and AI-assisted methods address this by classifying block content and reassembling fragments probabilistically.
How do analysts validate carved files for court use?
Validation involves checking internal file structure, verifying file length against expected ranges, applying YARA rules, and running keyword searches to confirm relevance. Every step must be documented to support chain of custody requirements.
Which file carving tools are most widely used?
PhotoRec and Scalpel are the most common open-source tools. PhotoRec offers broad format support for quick triage, while Scalpel provides configurable signature-based carving for targeted investigations. Commercial platforms offer additional validation and reporting features suited to court-bound cases.
Can file carving recover encrypted or compressed files?
Signature-based carving alone struggles with encrypted data because encryption removes recognisable headers. Entropy-based analysis identifies high-randomness blocks that indicate encrypted or compressed content, allowing analysts to locate and investigate those regions specifically.