I have spent several years developing programs that probably do what is called data carving.
I am concerned that what I consider to be two rather different areas are both called data carving
The first common approach is to find a signature,and sometimes a trailer and treat everything between as the file. For a sequential file this works, and often it is not important to detect the true end of the file.
The next approach is as above but to use more analysis of the file to determine the correct file length. (This can help produce a valid hash value as the hash is file length dependant).
The final approach is much more complex. This is the reconstruction of non sequential files, often joining several fragments from different areas of the disk, not always from data areas just following ther first cluster. Ideally this should be automatic, but at times manual intervention is also required.
Are all three appoaches just called data carving or are there more precise, or descriptive names for in particular the first and third approach?
From Google
http//
http//
There are others…just search for "data carving"
Quite a useful summary there in the ForensicsWiki. I know that Joachim pops in here now and again, perhaps he can help with any further questions.
Jamie
It does appear that Data Carving covers everything, and therefore any meanful reference needs to be expanded, such as Fragment Segment carving. In a way the Wikipedia list seems a good one to start from
Thanks
Michael