Unlocking Hidden Data: A Guide to File Carving with ATRIO

Written By Marketing Marketing

Understanding File Carving and Unallocated Space

In digital forensics, file carving is a method for recovering deleted or hidden files from storage devices. This technique is particularly useful when dealing with unallocated space—a portion of a hard drive or storage device that the file system no longer recognizes as containing active data. However, this does not mean the data is permanently erased. Instead, it remains on the drive until new data overwrites it, making file carving a critical forensic tool for retrieving potentially valuable evidence.

Allocated vs. Unallocated Space

  • Allocated Space: This is the portion of the storage device that the file system has designated for actively stored files. When a file is created or modified, it resides in allocated space, meaning it is easily accessible through the operating system.

  • Unallocated Space: This refers to areas of a storage device that are not currently assigned to active files. When a file is deleted, its data remains in unallocated space until new data overwrites it. Because of this, forensic tools like ATRIO can extract and recover these files by scanning for recognizable file structures and signatures.

ATRIO simplifies this process by offering built-in file carving capabilities. Depending on the selected options, ATRIO can extract unallocated space for later analysis or use its built-in carver to recover hidden or deleted files. This process can also be applied to E01 forensic images stored on the source drive. However, the bit-by-bit nature of file carving can add significant processing time to forensic analysis.

Extracting Unallocated Space

One of the fundamental steps in file recovery is isolating the unallocated blocks from each partition. ATRIO allows users to extract this data into a separate raw file, which a file carver of their choice can then process.

Steps to Extract Unallocated Space:

  1. From the Main Menu on the keypad, select FILE CARVING > EXTRACT/UNALLOC.

  2. Once the EXTRACT/UNALLOC button outline turns green, hit the BACK button.

  3. When ready, press the green GO button to start the extraction.

Note: If working with E01 forensic images, select E01/DD AS SOURCE before proceeding.

Performing Unallocated Carving

If time permits, ATRIO can recover files on unallocated space using file type signatures. Extracted files are stored within designated folders in the overall collection results. Since the amount of recovered data can vary, ensure sufficient storage space is available on the destination drive.

Steps to Perform Unallocated Carving:

  1. From the Main Menu on the keypad, select FILE CARVING > CARVE/UNALLOC.

  2. Once the CARVE/UNALLOC button outline turns green, hit the BACK button.

  3. When ready, press the green GO button to begin.

Note: This option includes both extraction and carving, meaning ATRIO will simultaneously extract and carve the unallocated space.

Carving the Entire Drive

In cases where the evidence drive has a corrupted or unknown file system, ATRIO can perform file recovery across the entire drive. This ensures no potential evidence is overlooked, regardless of whether the files reside in allocated or unallocated space.

Steps to Carve the Entire Drive:

  1. From the Main Menu on the keypad, select FILE CARVING > CARVE/ENTIRE DRIVE.

  2. Once the CARVE/ENTIRE DRIVE button outline turns green, hit the BACK button.

  3. When ready, press the green GO button to start the carving process.

Maximizing Success with ATRIO’s File Carving Features

File carving is an invaluable tool in digital forensics, enabling investigators to recover hidden or deleted files that may otherwise remain undetected. With ATRIO, forensic professionals can efficiently extract and analyze unallocated space, ensuring no evidence is left behind. ATRIO’s advanced capabilities streamline the investigative process and enhance data recovery efforts, whether dealing with standard forensic images or unknown file systems.

Stay ahead in digital forensics by leveraging ATRIO’s powerful file-carving features to uncover hidden data and strengthen your investigations!

Do you have a question about this or one of the many other ATRIO capabilities? Contact us today!

Contact us



Marketing Marketing
Previous

Reducing Device Seizures Through Smart Triage: My Personal Why
Next

The Importance of Virtual Machine Extraction in Forensic Investigations