Four tools for File Carving in forensic analysis

Useful to extract files from inside disk and memory images

 

File carving is the process of reassembling computer files from fragments in the absence of filesystem metadata.


This is done by analyzing the raw data and identifying what it is (text, executable, png, mp3, etc.). This can be done in different ways, for example reading file headers or footers.
It can be performed on image files or directly on a drive.

Bulk extractor

Bulk Extractor is a forensics tool that scans a disk image, a file, or a directory of files and extracts useful information without parsing the file system or file system structures, and it can process different parts of the disk in parallel, splitting the disk into 16MiByte pages and processes one page on each available core.

Bulk Extractor can be used to process any digital media like hard drives, SSDs, optical media, camera cards, cell phones and network packet dumps.

https://github.com/simsong/bulk_extractor


EVTXtract

EVTXtract is a Python script that tries to recovers and reconstructs fragments of Window Event Log files from raw binary data, including unallocated space and memory images.

It runs on Windows, Linux, and MacOS.

https://github.com/williballenthin/EVTXtract


Foremost

Foremost is a console program to recover files originally developed by the United States Air Force Office of Special Investigations and The Center for Information Systems Security Studies and Research and afterwards opened to the general public.

http://foremost.sourceforge.net/


Scalpel

Scalpel is a file carving and indexing application that runs on Linux
and Windows: it performs file carving operations based on patterns that
describe particular file or data fragment “types”.
These patterns may be based on either fixed binary strings or regular expressions.

https://github.com/sleuthkit/scalpel

Comments