by Yuri Gubanov, Danil Nikolaev & Igor Mikhailov © Belkasoft Research
Carving is an irreplaceable technique widely used in data recovery and digital forensics. By using carving, we essentially perform a low-level scan of media for various artifacts, looking for signatures—specific sequences of bytes, characteristic of different types of data.
This also means that carving disregards files themselves in performing the byte sequence search, thus becoming extremely helpful in cases where data has been corrupted or deleted. However, its usefulness is not limited to one particular scenario. Let us take a look at various cases where carving comes in handy.
Renamed, relocated, hidden data
We talked briefly about using carving to find hidden, renamed, and relocated data in our whitepaper about countering common anti-forensic efforts. Since carving does not take into account the file itself, it does not care about its name and location either. Therefore, by performing carving, we ensure that files that have been slightly modified (e.g. change of original location, name, or extension) will be found on the media despite the changes the user applied in an attempt to conceal data. This also applies to data hidden inside containers and other forms of hidden data. As an example, images inserted into a MS Word document or scripts injected into a PDF file would not be visible in the file system, however, we would be able to find them using carving.
Deleted data in unallocated space, free space, and slack space
Unallocated space
Another important implication of carving is searching for data inside slack space and unallocated space.
What is unallocated space?
Any physical space on the hard drive that does not belong to a partition is considered ‘unallocated’. These areas are not recognized by the operating system and are generally unusable in regular means, unless you expand an existing partition or create a new one to include that space. In addition, there are some slightly more advanced techniques and tools that allow writing to the unallocated space, which is something that might be used by criminals.
Free space
Free space is a part of the allocated space on a drive that the operating system can use to write data to. However, it does not mean that this area is entirely empty, since deleting files does not physically remove them from the drive: it just means that the space they were using changes its status from occupied to free, and the operating system may now use it. Until some new file overwrites them entirely, it is still possible to locate the files that were deleted by carving free space.
Slack Space
Slack space is the area of the drive’s allocated space that is unused by any files, which often contains remnants of files that previously were stored there. The reason for the emergence of the slack space is that while the disk is divided into sectors of equal size, the files saved in each sector vary in size, leaving chunks of unused space. This space may contain remnants of old files, as well as being used for hiding data, and therefore might be a valuable source of data.
How carving works
What can and cannot be carved?
Most disks and disk images can be carved. It is also possible to perform partial disk carving. The implications of carving we mentioned above work on the types of media that employ hard drives or flash drives, but we have not touched on SSDs.
If a device uses an SSD or eMMC, carving for deleted data is impossible. However, existing files with modified extensions, as well as hidden and embedded files, can still be carved. Data could also be found in slack space.
Belkasoft has a series of articles that explore the possibilities and challenges related to the forensic examination of SSDs and eMMCs, you can find them here.
As we have already mentioned, carving works on the level lower than the file system, which implies that it is not possible to carve, for example, folders, as folders only exist in the file system.
In addition, carving is the only way to find data in the RAM.
Carving methods
Header signature
In most cases, carving looks for a stable file header signature. A good signature is one that is unique to a file type. It usually needs to be fairly long in order to secure uniqueness, which helps to prevent confusion between file types. Another important condition is that the signature needs to be constant, i.e. it remains unchanged in various conditions. Failure to fulfill those conditions leads to discovery of false positives, which is a somewhat common problem with carving for header signatures. An example of a bad signature would be, say, something like “0000000000” (likely not unique) or “MZ” (too short). An example of a good signature is a SQLite database header “SQLite Format 3”, which is long, unique, and constant.
Footer signature
Another way of performing carving is looking for а footer signature, which determines the end of a file. The main problem with looking for а footer signature is that it may easily be overwritten or located at the end of the disk space due to the fragmentation, which makes this method less reliable. When it is used, it is usually controlled, i.e. limited by a certain amount of bytes: if, for example, after looking through five consecutive megabytes of data one has not found the footer, they stop looking and consider it the end of a file.
File size
In some cases, it is possible to fetch the file length from its header, in which case we look through the next X bytes as determined by the size. However, not all file types include this information in their headers, in which case one would have to set up a certain limit on the amount of bytes to be read. In other cases, the file size data in the header might be incorrect. Generally, this method requires a certain amount of control checks in order to guarantee its effectiveness.
File carving vs. data carving
While talking about carving, it is important to distinguish between file carving and data carving, which are two related yet different terms. File carving is an attempt to use the file header to reconstruct the whole file. If a file header were damaged, recovery of a file would be impossible.
Data carving can be seen as carving of parts of a file in order to try to collect bits of data that might be relevant to the case. Data carving is possible even if a file header is damaged, or if a file is fragmented or damaged. This type of carving is particularly useful and efficient when used on “small” types of data, such as chats, browser URLs, or emails in common formats (EML, MIME etc).
How to perform carving
First, connect your data source to the computer to be used for running forensic analysis. A data source can be a device, a disk image, a memory dump, a hibernation file, or even a file. Make sure it is one of the “carvable” types of data sources.
Next, choose what you are going to carve, taking into account the amount of time you have, the types of data you are looking for, and the data source itself. Usually, the best option is to perform carving on the entire data source, including both allocated and unallocated space. However, if you are short on time or looking for specific data, you can choose which parts of the disk you want to carve. For example, if you are only looking for something that you know has just been deleted, it would make sense to start with carving only the allocated space, as most likely you would find the recently deleted information there. Some forensic software products (including Belkasoft Evidence Center) allow you to choose disk partitions to be carved.
As the final step, you would need to analyze the results—whatever carving was able to find and recover.
Using recovered data
Data collected using carving may further be examined with the help of various forensic software. With the help of an appropriate product, one can analyze dozens of various types of data, including pictures and videos, databases, etc, discovered by carving.
If after performing the analysis you are still missing some information, you may revert to custom carving.
Custom carving
Although most modern forensic tools are powerful and are designed to perform automatic carving in an efficient manner that almost eliminates the chances of missing data, if this does happen you can always perform custom carving. Most modern forensic software products come with some sort of a tool that can help you look through data and search for signatures. In BEC, this feature is called Hex Viewer and is built into the product. You can also automate this procedure by writing custom scripts.
See a part of custom carving C# script where several signatures are defined:
Carving with Belkasoft Evidence Center
Carving is a built-in feature of Evidence Center. The product allows users to perform full disk carving, or carve one or several partitions, carve memory dump or a physical image of a mobile device. BEC can carve a few hundred types of files and formats.
After the case has been created and the data source has been selected, Belkasoft Evidence Center prompts the user to choose what data types to search for. One can set up the carving options in this same window.
In order to make Belkasoft Evidence Center not only analyze files that exist on the data source but to carve data as well, it is important to tick the ‘Carve’ box. If you click on ‘Advanced options’ below the box, the ‘Advanced carving options’ window will pop up. You can set up any additional carving options there.
The available options are:
- All data—carving the selected data types, including carving files and free space.
- Free space only—carving the selected data types in free space only.
- Unallocated space—carving the selected data types in unallocated space.
When both the ‘Free space only’ and ‘Unallocated space’ boxes are ticked, BEC will only restore deleted files, thus separating them from any other files found on a data source.
The BelkaCarving feature is only available for analyzing memory dumps. Restored files will contain the following information in their names: file type (‘document’, ‘picture’, etc.), index number, and an extension matching the file type.
In case when both the ‘Analyze’ and ‘Carve’ options are selected, analysis results may contain duplicates.
The information about whether the file was extracted during a common analysis or was carved can be viewed in the ‘Properties’ tab, in the section called ‘Origin’.
Belkasoft Custom Carving
Belkasoft Custom Carving is a feature of Belkasoft Evidence Center, which allows users to add their own headers and footers or signature sets, so these signatures can be used by Belkasoft Evidence Center during the carving process. This functionality greatly expands the possibilities of carving performed by the tool. The non-standard user’s headers and footers are most commonly used when conducting investigations of DVR and CCTV systems.
One could add headers and footers using Options menu.
- Go to Tools → Options
- Click on Carver signatures tab
- Click on Add button and add your own header and footer.
In addition, one could import the third-party signature sets using the same ‘Carver signatures’ tab.
- Click on the ‘Import’ button and specify the path to the Scalpel or FTK (AccessData) signature file.
- Click on the ‘OK’ button. Signatures will be imported from these files into Belkasoft Evidence Center.
BelkaCarving
The BelkaCarving option can be activated in the ‘Advanced carving options’ window. BelkaCarving is a special algorithm that allows you to investigate fragmented data inside a RAM dump and restore processes that were running on the system. This functionality is available when analysing memory dumps, hibernation and page files.
In addition to the live processes, BelkaCarving is capable of restoring dead processes. The following information on a detected process is extracted:
- process name
- size
- offset
- status (whether the process is alive or dead).
The selected process can be viewed in the Hex Viewer.
In addition, the process can be analysed with VirusTotal or saved to a file for further investigation.
If BelkaCarving was not used during the analysis of a memory dump, hibernation or page file, the detected data will simply be displayed under the corresponding categories in Case Explorer (Browsers, Instant Messengers, Pictures, Documents, etc.).
If BelkaCarving was used during the analysis, the detected data will also be associated with specific processes.
Using the BelkaCarving feature, you can not only restore databases, but also associate them with a specific application. For example, you could see on the picture below that 13 files with the ‘.db‘ extension were associated with the restored process ‘chrome.exe‘. When viewing the file ‘common_000000113000.db‘ in Hex Viewer, you can see that this file is a SQLite database.
The contents of a SQLite file can be viewed using SQLite Viewer, which is integrated into Belkasoft Evidence Center.
BelkaScripts
When more flexible carving settings are required, one may use BelkaScripts. By default, Belkasoft Evidence Center includes two scripts that can be used as the basis for customizing its carving functionality: CustomCarvingHeader.belka and CustomCarvingHeaderFooter.belka.
This is the code of the CustomCarvingHeader.belka, which searches an image or a device for a specified header and extracts a sequence of bytes of a given length from it.
This short application written in BelkaScript is as powerful in its functionality as such well-known forensic tools as Scalpel and Foremost. The script CustomCarvingHeader.belka includes the possibility of displaying the results of the script’s execution:
- Output—displays the information about detected files with the header specified in the script in the Belkasoft Evidence Center window.
- Report—creates a report on the detected files.
- Extracts detected files to the investigator’s medium.
SQLite records carving
In addition to the deleted files, Belkasoft Evidence Center can carve SQLite database records. This feature is the most useful for investigations of logical images of mobile devices, file systems of mobile devices, instant messengers, web browsers, etc.
For example, you can recover records deleted from the contacts database of a mobile device, deleted SMS and MMS messages, calls and so on. Here is an example of a deleted record recovery from a SQLite Skype database.
One can use SQLite Viewer, which is integrated in Belkasoft Evidence Center, for in-depth SQLite database records recovery. Belkasoft Evidence Center can also carve and restore data from unallocated space in SQLite databases.
Conclusion
Belkasoft Evidence Center has a unique functionality for carving different file types: standard files that are supported out of the box, and custom user files via signatures. Evidence Center can use carving to restore deleted SQLite database records including carving from an unallocated space. The article describes the flexibility of Belkasoft Evidence Center carving features and BelkaScript.
You can find out more about Belkasoft Evidence Center and order your own copy here.