# Manual Filecarving 1
### 1. Introduction
There are various types of digital files from Microsoft Word’s .docx files to executable programs and images. File extensions help identify a file but they are not always reliable as they can easily be manipulated. Standardized file types have unique signatures used by the operating system to identify, classify and display them to the user. The signatures can be identified in hex or ASCII format either as headers or footers indicating the start and end of a file. File types without footers might have a maximum file size specified. More information about different file signatures can be found in this [table by Gary Kessler.](https://www.garykessler.net/library/file_sigs.html)
**Header-footer or header-“maximum file size” carving—**Recover files based on known headers and footers or maximum file size
* JPEG—”**xFFxD8**″ header and “**xFFxD9**” footer
* GIF—”x47x49x46x38x37x61″ header and “x00x3B” footer
* PST—”!BDN” header and no footer
* If the file format has no footer, a maximum file size is used in the carving program
HxD Editor download (Freeware):
{% embed url="" %}
HxD Hexeditor
{% endembed %}
Image for Filecarving:
JPEG: Deleted, no thumbnails, not overwritten, unfragmented in free unallocated space
{% file src="" %}
### 2. Analysis
First we open the file carv1.bin with HxD Editor and search for the jpg header `FFD8FF`
After locating the jpg header we copy the offset and search for the jpg footer that starts with `FFD9`
We can now mark the whole block, copy the content and paste it in a new file:
Save the file as `extracted.jpg` and have a look for the result:
