A scuba trip to Belize reveals the power of a digital forensics technique called ‘file carving.’
Working for a digital forensics and data recovery firm, I meet attorneys each month that are amazed at the data that we can recover. We routinely help law firms find digital evidence hidden by bad faith actors, providing the information needed to resolve civil disputes, often before they become full-blown lawsuits.
Much of the information we look for has been intentionally deleted. Even if the drive has been reformatted and repurposed, we often have success in finding hidden data.
One of the processes that we employ is “file carving,” a digital forensics technique that relies on the bit-by-bit analysis of digital media, a search performed without benefit of file directories provided by the file system. I first encountered the power of file carving a few months after a scuba trip. It all started a few years back, on a boat off the coast of Belize.
I was nearly through a seven day trip aboard a “live-aboard,” a dive boat that leaves port for an extended period of diving, venturing to pristine, lightly-visited reefs that day tripper can’t reach. Belize is an ideal location for amateur marine photography—the diving is world-class, with stunning coral reefs, abundant marine life, and crystal blue waters.
Disaster struck on the night of the fifth day. As I sat in the main cabin, editing the day’s photos, a colleague spilled a glass of water on the table next to my MacBook. Water splashed into an open USB port, instantly frying the motherboard. All the photos taken that week, which numbered in the hundreds, were gone!
Upon returning home, I brought the MacBook to Apple for repair, along with the explicit instructions to leave the hard drive untouched. One week later, my computer was ready for pick up; I was devastated to find out that they ignored my instructions and reformatted the hard drive. At this point, it seemed that all my photos were gone forever!
Because this laptop was also my main work computer, I had to forge ahead and restore my work files and reinstall the applications that I use regularly. I figured that there wasn’t any point fretting over the lost photos, so I continued to use my laptop as normal. I did this for three months.
It was a chance encounter with an old friend that was working in digital forensics that put me on a path to recovering my dive photos. Upon hearing my story of woe, he told me the photos were probably still on the hard drive. Hidden, yes, but still there.
He suggested a consumer-level tool that I could use to see if the photos were recoverable. I downloaded a trial version of the photo recovery software, and after a 30 minutes scan of my hard drive, the software had identified thousands of photos hidden in the unallocated spaces of my hard drive. The software had located every single lost dive photo. Every single one! In fact, the software found as many as six versions of each missing picture.
THE RECOVERED PHOTOS
Pictured below is a sample of photos that were recovered from the reformatted hard drive, months after they were considered lost forever.
WHY DID THIS WORK?
The software used a technique popular in digital forensics called “file carving.” It works by scanning every sector of unallocated hard drive space, hunting for the tell-tale signatures of popular graphics file formats like JPEGs, RAW, or PSDs. When the application encounters a target signature, it analyzes the file header to determine the location and length of the missing file. It is then a relatively trivial matter to reassemble the missing file.
REFORMATTED IS NOT THE SAME AS ERASED
You might be wondering, wasn’t that hard drive completely reformatted? Yes, it was, but that is not the same as erasing the data. Reformatting is more like removing a book’s table of contents—the guide to finding the relevant information is removed, but the underlying information is left intact and is still discoverable.
Something similar happens when you delete a file. The file is not actually destroyed, instead the entry in the table of contents is removed (or tagged as deleted). Information will remain in place until drive space is needed for new files. While data was undoubtedly overwritten by the restoration of my work applications and files, the majority of the drive remained untouched, even after three months of daily usage.
WHY SO MANY COPIES?
You might wonder why the recovery software was able to find so many copies of each photo. This is actually due to my photography workflow and the inner working of the photo processing software that I use. Typically, I would transfer RAW photo files from an SD card to the laptop’s desktop. I would then import the files into Adobe Lightroom for editing. Lightroom typically copies files into its library, maintaining originals and creating duplicates when edits are performed. During the editing process, multiple previews and thumbnails are created as well. A single file can be replicated a dozen times on a hard drive through the simple process of importing, editing, and previewing images.
WERE THESE RESULTS UNUSUAL?
You may be wondering if these results are unusual—as it turns out, these results were typical. It is important to realize that I was using a simple consumer-grade application. The tools that digital forensics professionals have are far more powerful. In many cases, they can recover noncontiguous files that are scattered on different parts of a hard drive. They may also be able to retrieve and repair partial files, extract valuable internal file metadata, and find files based on characteristic encoding schemas.
Additionally, forensic professionals use formal examination processes that preserve the integrity of recovered information so that it may be admissible as evidence in a court of law.
File carving is only one data recovery technique available to the digital forensics professional. Please contact us if you have any question about digital forensics, e-discovery, or data recovery. Data Narro helps businesses, law firms, and government agencies preserve and recover electronically stored information for the purposes of investigation, data analysis, and litigation support. We serve our Midwest clients from our headquarters in downtown Milwaukee.
WANT TO LEARN MORE?
Article: 7 Do’s and Don’ts of Preserving Digital Evidence for Civil Litigation
Article: Preserving Digital Evidence Before Your Digital Forensics Professional Arrives
Article: File Carving (A primer)