In Digital Forensics/Cyber Forensics and Data Recovery, we often need to recover lost or deleted unstructured files which is typically referred to as carving the files from data storage.  What does carving mean, and why is it called Data Carving, File Carving or Disk Carving depending on the context/conversation?  I have heard people use these terms interchangeably as if they all meant the same thing.  While I thought sure I understood the differences, I did some research to make sure that I wasn’t misinforming my readers.

I have often heard people use Disk Carving interchangeably with File Carving, but I can not find any place that this term has ever been defined Disk Carving.  I never really liked the term, because I have spent my career focused on unstructured files, and am not really interested in messing with disk formatting.  So, I’m going to create my own definition that makes the most sense to me.  I declare that Disk Carving is the carving of all data storage areas contained on a single disk drive/device, which includes partitions, volumes, unallocated disk space, Device Configuration Overlay (DCO), Disk Firmware Area (DFA) and any Host Protected Area (HPA).

Diagram of external file metadataFile Carving and Data Carving are also seemingly interchangeable terms.  My assumption was that File Carving is the old (80’s) term and Data Carving is the new more popular and maybe more encompassing term.  Much like Computer Forensics, Digital Forensics and Cyber Forensics.  But, that’s not what I found.  The best definition, and arguably the earliest and most concise, was published by Simson L. Garkinkel in 2007.  He wrote, “‘’File carving’’ reconstructs files based on their content, rather than using metadata that points to the content.”  This means that there would not be any residual directory structure left to point to the file’s first block, nor any pointers connecting each of the file’s sectors together, which could be used to track down parts of a deleted fragmented file.

How does Data Carving differ from these other terms?  The best explanation that I found was written by Yuri Gubanov, Danil Nikolaev & Igor Mikhailov in 2019.  They wrote, “File carving is an attempt to use the file header to reconstruct the whole file. If a file header were damaged, recovery of a file would be impossible.”  Next they added, “Data carving can be seen as carving of parts of a file in order to try to collect bits of data that might be relevant to the case. Data carving is possible even if a file header is damaged, or if a file is fragmented or damaged.”  So, Data Carving identifies files without requiring a file header signature match.

I see Disk Carving as the high level/whole disk term, and File Carving as the lower level carving of individual files using file header signatures.  Then, Data Carving is the lowest level of identifying fragments of files without the file’s header present.

Next month, I will report on some additional terms that I am adding, to better describe our data carving feature that we are adding to our Dark Data Detective – Advanced Research tier.  Here’s a preview: Object Carving is our process of breaking files down into their individual objects/building blocks, to facilitate Data Carving.  Field Carving is the breaking down of objects, into their individual fields, to facilitate the carving of partial objects and to validate each recovered object.

Stay tuned, there is much more to come…



2 thoughts on “Data Carving vs File Carving vs Disk Carving

  • February 29, 2024 at 1:53 pm

    Wow, when are you going to release your Data Carving tool?

    • February 29, 2024 at 2:02 pm

      In March, I will write another post that goes into more detail about Data Carving methods. In April, I will post details about our Data Carving methods, and compare them to the existing industry methods. By the end of April, we will release our Data Carving solution in Dark Data Detective v4.05. The Advanced Researcher tier is required for Data Carving.

