Manual Filecarving 2
Last updated
Was this helpful?
Last updated
Was this helpful?
There are various types of digital files from Microsoft Word’s .docx files to executable programs and images. File extensions help identify a file but they are not always reliable as they can easily be manipulated. Standardized file types have unique signatures used by the operating system to identify, classify and display them to the user. The signatures can be identified in hex or ASCII format either as headers or footers indicating the start and end of a file. File types without footers might have a maximum file size specified. More information about different file signatures can be found in this
Header-footer or header-“maximum file size” carving—Recover files based on known headers and footers or maximum file size
JPEG—”xFFxD8″ header and “xFFxD9” footer
GIF—”x47x49x46x38x37x61″ header and “x00x3B” footer
PST—”!BDN” header and no footer
If the file format has no footer, a maximum file size is used in the carving program
HxD Editor download (Freeware):
Image for Filecarving:
JPEG: Deleted, no thumbnails, not overwritten, unfragmented in full unallocated space.
First we open the file carv2.bin with HxD Editor and search for the jpg header FFD8FF
We find it at offset 13B6. In this second example we see that it is embedded in other data (other deleted or allocated files), this is more typical of what we might see.
After locating the jpg header we copy the offset and search for the jpg footer that starts with FFD9
We can now mark the whole block, copy the content and paste it in a new file:
Save the file as extracted2.jpg and have a look for the result:
