Advanced data carving tools built into CnW Recovery software
Processing fragmented files
Smart data carving is the process of joining fragments of a file together. The requirement is when an operating system has failed and a file exists, but in several places on the drive (or memory chip). There are easy ways to detect the start of a file, and often the end of the file based on signatures, and know sequences of bytes. The problem with extracting a file correctly is discovering the sections in the middle of the file. The tools for this are part of CnW software.
More than just file signature
File starts can be detected, and for several types of file, the file is validated. This can be based on pointers found throughout a file, or may be just having a length pointer at the start, and validating the end of the file. For several file types, when the file extracted from start signature alone is deemed to be invalid, the data carving tools can be applied by selecting the Process Fragments option. The method of operation is different for each support logical format, but the overall scheme is as below.
When the Data carve function is performed, sectors that are part of known good files are marked as used. It is an important part of the data carve function to verify as many file types as possible. Once a file is determined as incomplete it is analysed to determine how much of the file is valid. This might be just the first few KB, or 90%. Routines are then used to search areas of the disk that are apparently not used. The data in these sections are then tested to see if they have suitable data. For instance, if a JPEG file was being repaired, a section of data with pure text could be skipped. Also, to improve the chances of good recovery, starting sectors of files recovered correctly are analysed. This is used to determine the cluster size and location of files. By just looking at complete clusters, file fragments can be verified for suitability.
Video Fragments and data carving
For files such as most AVI files data carving is fairly straight forward. The structure of the file has many sequential pointers and so it is straightforward to determine if the next pointer is at the correct location within a cluster. For non critical tasks, an AVI can also accept runs of unrelated data. The display may jump slightly, but overall the video will still display. However, there is a second version of AVI file where the camera stores the data first, followed by the header and indexes. A special recovery routine has been added to detect and recover such files. Files such as JPEGs are less friendly, and at time a JPEG may appear to be reconstructed, but in fact the image is a mosaic.
The case MP4 type files is more complex. For files stored on the hard drive, data carving often works, but files on the original memory chip, there can be big issues. CnW has a series of Wizard functions to do very intelligent data carving which even allow for GoPro cameras with interleaved high and low resolution video streams.
Forensically, one has to be slightly cautious about automatic data carving, but for most users, the results are very useful. A recent test on a corrupted 2GB memory chip produced about 120 good files and 60 corrupted. After the data carving routine was run, about 40 corrupted files were reconstructed.
Carving on NTFS compressed disks
A very significant feature of CnW software is that as it processes NTFS compressed clusters it can carve files from NTFS compressed disks