Manual data carving and file testing
It is always very desirable to have all recovery done automatically but as the reasons for failure are so numerous, at times it is essential to be able to have manual intervention. The manual system is part of the Forensic option and is a tool to assist in putting clusters together to make up a complete file. The times that it will be required most is when there are several files of the same type, in the same area of a disk. Often the only way to determine the correct sequence will be by putting clusters together and either viewing text, or checking pointers.
The data carving tool is entered from the log by clicking on the Verify column.
When the function starts it will load the current version of the file as stored on the disk. At the same it will create a copy as a working file and the two versions can be selected by the View disk or View file button.
The mode of operation is to work with clusters and so the cluster size selected is extremely important. This may be known from the operating system or may need to be determined by looking at the system log and seeing where files start. The tools then allow for clusters to be searched for strings and the result can be viewed. The new cluster may then be inserted at the correct location in the new copy file. For certain formats it is possible to run a file verify function that will give error messages if it cannot verify the file structure.
JPEG Data carving
To assist with recovering photos, the carving function also includes a JPG preview mode. This allows for a jpg file to be looked at to see if the possible clustered added make sense, ie the photo is correct. To determine where a failure exists there are two additional functions. Verify file may detect the location of an error, and the Cluster count for preview may be set to view just part of the file. This can be used to discover that the file is no longer valid after say cluster 0x1df. By changing the cluster count, only the first selected part of the file will be previewed and so the length may be determined. Additional clusters may then be searched for and appended.