Running head: DATA CARVING 1

Data Carving

Lorenze Salas

Keith Swanson
DATA CARVING 2

Data Carving

To do this assignment, I gathered the following types of files: word document, excel

spreadsheet, MP4, PDF, JPEG and PNG file into one specific folder. Then I opened up

AccessData FTK Imager to being searching the data carving. Data Carving is a process of

“reconstructing files by scanning the raw bytes of the disk and reassembling them” (Warlock,

2018). It can be examined through the header (beginning) and footer (end) of the hex editor.

Once FTK Imager is launched, I went to File and add physical drive as my evidence

item. Then I opened the partitions 3  NONAME [NTFS]  Users  Loren  Downloads

 Data

Carving. It shows a full list of files that was in the folder earlier.
DATA CARVING 3

Then this article guides

me through how to determine

header and footer of a particular

file. I went to the jpeg file and

scanned through the hex editor in

the bottom of the FTK Imager

software. I stumbled upon the

header of the first few bytes and

footer of the last few bytes. I

opened a Google, then search “FF

D8 FF DB 00” and it matched

JPEG data. I repeat the same step for the next 5 files.

File Type Screenshots Header File Signature

MP4 00 00 00 18 66 74 79
70

Excel 50 4B 03 04 14 00 06
Spread 00
Sheet
DATA CARVING 4

Word 50 4B 03 04 14 00 06
document 00

PNG 89 50 4E 47

PDF 25 50 44 46
DATA CARVING 5

References

Warlock. (2018, February 4). File carving. Infosec

Resources. https://resources.infosecinstitute.com/topic/file-carving/