3 Best File Carving Tools For Data Forensics Professionals

  • Tips
  • April 19, 2019

When we delete files from our computer or device, they are not completely lost until their memory locations are deleted during a device wipe. Many of their fragments still remain in unallocated memory and can be reconstructed theoretically.

What is File Carving?
File Carving is a process of reconstructing computer files which might have been formatted or effectively deleted by the user. The software has to accurately collect pieces from a large data pool present in the hard disk or other storages, even without helpful metadata indicators or other specific guidance.

File Carving tools use various markers like headers and footers and try to identify parts of a file. This software relies on heuristics and probability handling tools to successfully collect required files. Beyond this, advanced algorithms help to improve the file recovery results.

Though File Carving is largely based on guesswork, if we use the right tool with advanced features and capabilities, the file recovery outcomes will significantly improve and help bring order out of the chaos.


1 EVTXtract

If you are mainly looking for Microsoft Event Viewer Logs, EVTXtract is perfect for you. This is one of the best tools available out there, which recovers and reconstructs the fragments of EVTX log files from raw binary data, memory image, and unallocated space.

If you are unaware, EVTX records are available in one of the most popular formats, but still, its recovery is not that easy. This is because these files are encoded using Microsoft-specific binary XML representation, and depends on the records found nearby. But when we are dealing with corrupted or unallocated space, the recovery has to go through a lot of phases.

The EVTXtract is actually a Python script, which you can easily run on any platforms like on Windows, Linux, and MacOS. Just invoke the script, provide the path to a binary image, and lastly wait until EVTXtract writes its results to the standard out stream.