Now that we’ve learned how to create forensic images of evidence, let’s take a look at the file recovery and data carving process using Foremost, Scalpel, and Bulk Extractor.
When we last covered filesystems, we saw that various operating systems use their own filesystems to be able to store, access, and modify data. So too, storage media use filesystems to do the very same.
Metadata, or data about data, helps the operating system identify the data. Metadata includes technical information, such as the creation and modification dates, and the file type of the data. This data makes it much easier to locate and index files.
File carving retrieves data and files from unallocated space using specific characteristics such as file structure and file headers, instead of traditional metadata created...
