Chapter 6: File Recovery and Data Carving with foremost, Scalpel, and bulk_extractor

Now that we've learned how to create forensic images of evidence, let's take a look at the file recovery and data carving process using foremost, Scalpel, and bulk_extractor.

When we last covered filesystems, we saw that various operating systems use their own filesystems to store, access, and modify data. Storage media also uses filesystems to do the very same thing.

Metadata, or "data about data," helps the operating system identify data. Metadata includes technical information, such as the creation and modification dates and the file type of the data. This data makes it much easier to locate and index files.

File carving retrieves data and files from unallocated ...

Get Digital Forensics with Kali Linux - Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Digital Forensics with Kali Linux - Second Edition by Shiva V. N. Parasram

Chapter 6: File Recovery and Data Carving with foremost, Scalpel, and bulk_extractor

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly