Manual Filecarving 1

1. Introduction

There are various types of digital files from Microsoft Word’s .docx files to executable programs and images. File extensions help identify a file but they are not always reliable as they can easily be manipulated. Standardized file types have unique signatures used by the operating system to identify, classify and display them to the user. The signatures can be identified in hex or ASCII format either as headers or footers indicating the start and end of a file. File types without footers might have a maximum file size specified. More information about different file signatures can be found in this table by Gary Kessler.

Header-footer or header-“maximum file size” carving—Recover files based on known headers and footers or maximum file size

• JPEG—”xFFxD8″ header and “xFFxD9” footer

• GIF—”x47x49x46x38x37x61″ header and “x00x3B” footer

• PST—”!BDN” header and no footer

• If the file format has no footer, a maximum file size is used in the carving program

HxD Editor download (Freeware):

Downloads | mh-nexus

HxD Hexeditor

Image for Filecarving:

JPEG: Deleted, no thumbnails, not overwritten, unfragmented in free unallocated space

17KB

Carve1.bin

2. Analysis

First we open the file carv1.bin with HxD Editor and search for the jpg header FFD8FF

Start Offset is 1258

After locating the jpg header we copy the offset and search for the jpg footer that starts with FFD9

End Offset is 2DE4

We can now mark the whole block, copy the content and paste it in a new file:

Save the file as extracted.jpg and have a look for the result:

Extracted JPG Image