Chapter 6: File Recovery and Data Carving with foremost, Scalpel, and bulk_extractor
Now that we've learned how to create forensic images of evidence, let's take a look at the file recovery and data carving process using foremost, Scalpel, and bulk_extractor.
When we last covered filesystems, we saw that various operating systems use their own filesystems to store, access, and modify data. Storage media also uses filesystems to do the very same thing.
Metadata, or "data about data," helps the operating system identify data. Metadata includes technical information, such as the creation and modification dates and the file type of the data. This data makes it much easier to locate and index files.
File carving retrieves data and files from unallocated space using specific characteristics, such as the file structure and file headers, instead of traditional metadata created by or associated with filesystems.
As the name implies, unallocated space is an area...