When file system metadata is gone, damaged, or untrustworthy, file carving in digital forensics is often the only way to recover useful evidence. It is the difference between seeing a blank volume and finding deleted documents, images, or archives hidden in raw data. This guide walks through the full workflow so you can carve evidence without destroying it.
Certified Ethical Hacker (CEH) v13
Learn essential ethical hacking skills to identify vulnerabilities, strengthen security measures, and protect organizations from cyber threats effectively
Get this course on Udemy at the lowest price →Quick Answer
File carving in digital forensics is the process of recovering files from raw data when file system metadata is missing, damaged, or unavailable. The standard workflow is acquisition, analysis, signature detection, carving, validation, and reporting. It matters in incident response, ransomware cases, and legal investigations because recovered files must be preserved, verified, and documented to hold evidentiary value.
Quick Procedure
- Acquire a forensic image of the evidence and verify hashes.
- Preserve chain of custody and work only on a copy.
- Identify target file types using headers, footers, and signatures.
- Scan unallocated space, slack space, and the full image for matches.
- Carve files with an appropriate tool and record offsets.
- Validate recovered files in native viewers or parsers.
- Document results, limitations, and confidence levels in the report.
| Primary Technique | File carving from raw data as of June 2026 |
|---|---|
| Best Use Case | Deleted or damaged files when metadata is unavailable as of June 2026 |
| Typical Evidence Sources | Disk images, RAW volumes, memory cards, unallocated space as of June 2026 |
| Common Output | Recovered JPEG, PDF, ZIP, DOCX, and other artifacts as of June 2026 |
| Core Risk | False positives, fragmentation, truncation, and partial recovery as of June 2026 |
| Forensic Priority | Validate and document every recovered file as of June 2026 |
Introduction
File carving is the process of recovering files from raw data when file system metadata is missing, damaged, or unavailable. That makes it different from ordinary file recovery, which relies on directory entries, allocation tables, or journal records. In practice, file carving in digital forensics is used when investigators need evidence from media that has been deleted, reformatted, corrupted, or deliberately altered.
This matters in Digital Forensics, Incident Response, and legal investigations because the evidence source may be the only place a message, image, or archive still exists. A carved file can support a timeline, show intent, or confirm exfiltration activity. It can also become a weak point in court if the process was sloppy, undocumented, or overconfident.
“Carving is not proof by itself. It is an evidence-recovery method that becomes useful only when it is validated, scoped, and documented.”
The core workflow is straightforward: acquire the media, analyze the image, detect signatures, carve the file, validate the result, and report the findings. The details are where most mistakes happen. That is also why this topic fits naturally with the skill set taught in the Certified Ethical Hacker (CEH) v13 course, especially when ethical hacking and forensic response overlap after an intrusion or ransomware event.
Note
For a quick technical refresher on evidence handling and incident response discipline, ITU Online IT Training aligns this topic with real-world defensive workflows rather than toy examples.
Understanding File Carving Fundamentals
Files are stored on disk in clusters or blocks, not as one continuous physical object you can always read from top to bottom. A file system tracks where those clusters live, how they belong together, and whether they are currently in use. When a file is deleted, its data often remains on disk until new writes overwrite those blocks.
That is why recovered data is often possible from Raw Data even after a user thinks the file is gone. The same thing happens after formatting, corruption, wiping attempts that are incomplete, or partial overwrites. In a forensic image, you may find allocated space, unallocated space, and slack space all holding different clues.
Allocated, Unallocated, and Slack Space
Allocated space is the portion currently assigned to active files. Unallocated space is space marked free by the file system but still containing old data until it is overwritten. Slack space is the unused area at the end of a file’s last cluster, and it often contains fragments of previous content.
These distinctions matter because file carving in digital forensics is not limited to deleted files. Investigators may pull a full JPEG header from unallocated space, a PDF trailer from slack space, or a ZIP archive fragment from a partially cleaned volume. Even a single block can reveal a filename, application metadata, or embedded document structure.
Headers, Footers, and Magic Bytes
File headers and file footers are the anchor points used during carving. Many file types start with a recognizable signature, often called magic bytes, and some also end with a standard footer. For example, JPEG files commonly begin with FF D8 FF, PNG files begin with 89 50 4E 47, and PDF files begin with %PDF.
These signatures help a tool identify likely files even when the file name and directory structure are gone. The downside is false positives. A generic byte pattern can appear in unrelated data, so signature detection must be paired with structure validation. The NIST Digital Forensics and Incident Response guidance in NIST SP 800-86 remains a useful reference for evidence handling and forensic process discipline.
When File Carving Is Appropriate
File carving is appropriate when the evidence source no longer has trustworthy file system records. That includes deleted files, damaged partitions, RAW images, and partially overwritten volumes. It is especially useful when the partition table is broken but the actual content still exists on disk.
It also comes up in ransomware cases, anti-forensic activity, and memory card corruption. If a user tried to wipe a device quickly, or an attacker deleted logs before leaving, carving may expose remnants the file system cannot describe. In those situations, file carving in digital forensics can recover useful artifacts even when normal browsing tools show nothing.
When Carving Helps and When It Does Not
| Good fit | Deleted files, RAW volumes, damaged partitions, and recoverable unallocated space |
|---|---|
| Poor fit | Heavily fragmented files, securely wiped media, encrypted containers, and fully overwritten sectors |
That comparison is the key to choosing the right approach. Carving works best when data still exists in contiguous runs. It works poorly when data has been split across many nonadjacent clusters or when the storage device has been sanitized.
Before carving anything, define the case goal. If you need proof of file presence, timestamps, or user activity, carving alone may not be enough. BLS notes that digital forensic investigators and related specialists are part of a broader evidence-driven profession, and the workflow must support defensible conclusions rather than just technical curiosity; see the U.S. Bureau of Labor Statistics Computer and Information Technology Occupations overview.
Prerequisites
Before you carve anything, you need the right setup. Skipping prerequisites is how evidence gets contaminated and results become hard to defend.
- Forensic image acquisition tools such as a trusted imager and a write blocker.
- Hashing tools to verify source and image integrity with SHA-256 or SHA-1 when appropriate for your workflow.
- Evidence documentation for chain of custody, labels, timestamps, and storage location.
- Forensic analysis workstation isolated from production systems.
- Knowledge of common file formats such as JPEG, PNG, PDF, ZIP, and DOCX.
- Permission and scope that clearly authorize analysis of the evidence source.
- Basic hex-editing skills for manual inspection when tools fail.
Forensic image creation should happen before any carving begins. In practice, that means imaging the original media, verifying the hashes, and preserving the original in secure storage while all analysis happens on a duplicate. This is standard evidence handling, not optional hygiene.
For acquisition and storage best practices, the official guidance from CISA Digital Forensics resources is a practical starting point, especially when evidence may later be reviewed by legal counsel or outside auditors.
Preparing Evidence for Analysis
Bit-for-bit imaging is the safest way to prepare evidence because it captures every readable sector, not just what the file system says is in use. Use a write blocker whenever possible. If the evidence is a drive, card, or USB device, the image should be the thing you mount and analyze, not the original source.
During acquisition, record the device model, serial number, date, time, examiner, and hash values. If you are handling chain of custody correctly, you should be able to explain where the evidence came from, who touched it, and whether it changed. That level of detail matters because carved files are only useful if their origin can be defended.
Common Forensic Formats
RAW, E01, and AFF are common forensic formats. RAW is simple and broadly compatible. E01 adds metadata, compression, and segmentation. AFF is also used in some labs for metadata-rich acquisition and analysis.
The choice depends on storage, case size, tool compatibility, and required documentation. A smaller case with a single drive may work fine in RAW. A larger multi-terabyte case may be better served by a format that supports compression and embedded metadata. The important point is to keep the analysis copy separate from the source and to log every action.
Warning
Never carve directly from an original device unless there is no alternative and the legal process explicitly allows it. One accidental write can destroy the exact sectors you needed to recover.
Tools Commonly Used for File Carving
Several tools are commonly used for file carving in digital forensics, and each has a different strength. PhotoRec, Scalpel, Foremost, and bulk_extractor are popular open-source options for recovery and artifact discovery. Autopsy and the Sleuth Kit are often used for review, triage, and deeper forensic analysis.
Hex editors and disk viewers still matter because automated tools do not always explain what they found. When you inspect an offset manually, you can see whether a header is real, whether the footer is present, and whether the data between them makes sense. That is often the difference between a clean recovery and a false positive.
Automated Versus Manual Carving
| Automated carving | Fast, scalable, and useful for large images with common file signatures |
|---|---|
| Manual carving | Slower, but better for edge cases, validation, and incomplete or unusual files |
Automated tools are excellent for bulk triage. Manual carving is what you use when the tool output looks wrong, the file is fragmented, or the artifact is unusually valuable. In real investigations, the best answer is usually both: automate first, then verify manually.
Tool selection should match the evidence. A small USB image with mostly JPEGs can be handled differently than a multi-terabyte server snapshot or a damaged memory card. For official product documentation and file type handling tips, Microsoft’s security and file-format references on Microsoft Learn are useful when your recovered artifacts involve Windows-native file structures.
Identifying File Signatures and Structures
File signatures are byte patterns that identify a file type. Some formats can be carved with simple header-footer matching, while others need structural parsing to recover correctly. JPEG, PNG, PDF, ZIP, and DOCX are common examples, but not all of them behave the same way.
For example, JPEG is often suitable for straightforward carving because its boundaries are relatively easy to detect. ZIP-based formats such as DOCX are more complex because the file is really a container with internal directory records. That means a recovered DOCX may look like a ZIP archive until the internal structure is verified.
Why Container Formats Need More Care
Container formats package multiple files or structures inside one outer archive. DOCX, XLSX, PPTX, and many application packages use ZIP as the container, so carving one requires more than finding the starting bytes. You must confirm the internal directory entries, central records, and file relationships.
That is why some recovered files open and others fail. A file may have a correct header but be missing a central index, a footer, or the internal members needed by the application. In those cases, signature-based detection is only the first step, not the finish line.
When you work with unusual or proprietary files, format-specific knowledge becomes critical. The OWASP Top 10 is not a carving guide, but it is a reminder that file parsing and unsafe handling are common attack surfaces. In forensic work, the same caution applies to parser behavior and malformed content.
Performing the Carving Process
The carving process begins by scanning unallocated space, slack space, and the full disk image for known signatures. The goal is to find candidate starts and ends for files, then extract them without altering the source. In file carving in digital forensics, the quality of the scan determines the quality of the result.
Most tools let you target file types using filename masks, extension filters, or signature rules. That helps reduce noise. If your case focuses on a ransomware leak archive, for example, you might prioritize PDF, DOCX, XLSX, TXT, and image formats rather than every possible binary blob.
Step-by-Step Carving Workflow
-
Scan the image for signatures. Start with unallocated space, then expand to the whole image if needed. In a tool such as Scalpel or Foremost, configure file-type rules before running the scan so you are not pulling every possible match.
Record the image name, sector offsets, and time of the run. If you are using a hex editor, search for known magic bytes such as
FF D8 FFfor JPEG or%PDFfor PDF and note the exact offset. -
Apply file-type filters and size rules. Restrict carving to the formats relevant to the case. A minimum file size can eliminate a lot of junk fragments, while offset alignment can reduce false positives from repeated patterns.
If you suspect a specific file class, narrow the search. For example, many forensic tools allow you to enable only JPEG, PNG, and PDF signatures for a media-exfiltration case instead of scanning for hundreds of formats.
-
Extract candidate files. Let the tool write recovered artifacts to a separate output directory on a working copy. Never output to the same volume being analyzed. Track the original offset for every carved file so you can later explain exactly where it came from.
That offset matters for testimony. It also helps you compare a carved artifact to surrounding sectors if the file turns out to be truncated or partially overwritten.
-
Try manual carving when automation fails. If an automated tool stops early or misidentifies a footer, inspect the region with a hex editor. You can sometimes rebuild a short file by copying from the detected header to the last valid structural marker, then saving the output as a recovered artifact.
This is especially useful with media files, small documents, and archives where the main structure is intact but the final bytes are damaged.
-
Log every decision. Note tool settings, offsets, hashes, and file names at the moment of extraction. The output should be reproducible by another examiner using the same image and settings.
That log becomes part of the forensic record. Without it, the recovery may be technically real but procedurally weak.
Offset tracking is not just clerical work. It is what links the carved file back to the exact place on disk where it was found. That link can support later validation, timeline analysis, or courtroom explanation.
Handling Fragmented or Partial Files
Fragmentation complicates carving because the file’s pieces are not stored in one continuous run of clusters. A simple header-footer tool may recover the first piece and miss everything after the gap. That is why some files come back incomplete even when the file type was identified correctly.
Advanced carving approaches try to infer structure from content, use file-system-aware logic, or reconstruct likely fragment chains. These methods are more complex, but they can recover more useful data when the evidence is messy. In hard cases, you may recover only a partial document, a few pages of a PDF, or a partial image that still contains valuable context.
How to Prioritize Partial Recovery
If the evidence source is damaged, prioritize artifacts by value. Look first for items tied to the case goal: ransom notes, exfiltration archives, employee documents, or images showing suspicious activity. Even partial recovery can be enough if it proves the existence of a file or captures unique content.
When you report partial results, say so plainly. Do not overstate recovered data as complete if the end of the file is missing or the structure is broken. A precise report is more useful than an inflated one.
The MITRE ATT&CK framework is useful when you are mapping recovered artifacts to attacker behavior, especially in cases involving anti-forensic activity or ransomware. It helps you connect technical evidence to tactics instead of treating every recovered file as an isolated object.
Validating and Verifying Recovered Files
Recovered files must be validated before they are treated as evidence. A file that opens correctly in its native application is a good sign, but it is not enough on its own. You still need to check the structure, confirm the content, and compare it to surrounding evidence.
Verification means checking that the carved file is complete enough, correctly structured, and consistent with what you expected to find. If the file header says PDF but the body contains random bytes, you may have a false positive. If the footer is missing, the file may be partial or truncated.
Validation Checklist
- Open the recovered file in the native application when possible.
- Compare hashes if a known-good hash exists.
- Check embedded metadata such as author, creation date, or camera data.
- Use a parser or viewer to confirm structure and detect anomalies.
- Record whether the file is complete, partial, or damaged.
Validation should also include contextual checks. A carved image from a suspicious USB device might match a filename mentioned in chat logs or email headers. A carved ZIP file may contain directory names that line up with known projects or user accounts. That context can raise confidence even when the file is not perfect.
For standards-based forensic reporting and image validation practices, ISO/IEC 27001 and related ISO guidance are useful reference points for organizations that need a repeatable control structure around evidence handling.
Documenting Findings and Building the Report
Good forensic work ends with a report that another professional can understand without guessing. Summarize what was recovered, where it was recovered from, when it was found, and under what conditions. Include timestamps, offsets, hashes, and tool settings so the process can be repeated if needed.
The report should also describe what you could not prove. If a file was partially recovered, say so. If fragmentation limited recovery, explain the limitation. If a footer was missing, note that the file may be incomplete and therefore only partially reliable.
What the Report Should Contain
- Evidence description and chain-of-custody summary.
- Image hash values and acquisition method.
- Tool names, versions, and carving settings.
- Offsets and source locations for each recovered file.
- Validation results and confidence level.
- Limitations, assumptions, and unresolved questions.
Screenshots, logs, and appendices make the report more defensible. They also help attorneys, executives, and incident responders understand what was found without reading raw hex dumps. The best report is detailed enough to support reproduction but readable enough to support decision-making.
For broader workforce and role context, the ISSA community and the NIST NICE Workforce Framework both reinforce the need for clear evidence handling, technical rigor, and repeatable documentation in defensive and investigative roles.
Best Practices and Common Mistakes
The biggest best practice is simple: never analyze the original evidence when a copy will do. That one rule protects integrity, preserves defensibility, and keeps the investigation from being challenged later. If you follow that rule and validate every recovered file, most of the common failures become avoidable.
Another mistake is overrelying on automated carving. Tools are fast, but they are not always accurate. Generic signatures, repeated patterns, and malformed containers can produce false positives that look convincing until you try to open them.
Common Mistakes to Avoid
- Carving from the original device instead of a forensic copy.
- Assuming every header match is a valid file.
- Ignoring fragmentation and partial overwrites.
- Failing to record offsets and tool settings.
- Overstating confidence when the file is incomplete.
- Forgetting that encryption or secure wiping can make carving ineffective.
Careful notes are not busywork. They are what make the process repeatable and defensible in court or internal review. If a second examiner cannot reproduce the result, the recovery may still be technically interesting, but its evidentiary value drops fast.
The PCI Security Standards Council publishes requirements that reinforce evidence discipline in regulated environments, and the same mindset applies here: verify, document, and limit scope. For investigative teams supporting compliance-heavy cases, that discipline matters as much as the recovery itself.
Key Takeaway
- File carving in digital forensics recovers files from raw data when metadata is missing, damaged, or unavailable.
- The safest workflow is acquisition, analysis, signature detection, carving, validation, and reporting.
- Carving works best on contiguous data and is weaker on fragmented, encrypted, or securely wiped media.
- Recovered files must be validated with structure checks, application-level tests, and contextual evidence.
- Documentation, offsets, hashes, and tool settings determine whether the recovery is defensible.
Certified Ethical Hacker (CEH) v13
Learn essential ethical hacking skills to identify vulnerabilities, strengthen security measures, and protect organizations from cyber threats effectively
Get this course on Udemy at the lowest price →Conclusion
File carving is powerful, but it is never perfect. It can recover deleted documents, media, and archives from raw data, yet it can also produce partial files, false positives, or misleading artifacts if you do not validate the results. That is why the full workflow matters more than the tool.
The process is simple to describe and harder to do well: acquire cleanly, carve carefully, validate thoroughly, and report precisely. When you combine carving with broader forensic analysis, the result is stronger evidence and better conclusions. That is the standard ITU Online IT Training pushes in practical security and investigation work, including the CEH v13 course where defensive analysis and attacker behavior often meet.
If you are preparing for a real investigation, start with a forensic image, use the right tools for the file types you expect, and document every step. Careful validation and clear reporting are what turn recovered bytes into evidence.
CompTIA®, Microsoft®, AWS®, EC-Council®, ISC2®, ISACA®, PMI®, and CEH™ are trademarks of their respective owners.
