Recovering deleted data, or “carving”, is an interesting digital forensics topic; I say “interesting” because there are a number of different approaches and techniques that may be valuable, depending upon your goals.
For example, I’ve used X-Ways to recover deleted archives from the unallocated space of a web server. A threat actor had moved encrypted archives to the web server, and we’d captured the password they used via EDR telemetry. The carving revealed about a dozen archives, which we opened using the captured password, which allowed our customer to understand what data had been exfil’d, and their risk and exposure.
But carving can be about more than just recovering files from unallocated space. We can carve files and records from unstructured data, or we can treat ‘structured’ data as unstructured and attempt to recover records. We did this quite a bit during PCI forensic investigations, and found a much higher level of accuracy/fidelity when we carved for track 1 and 2 data, rather than just credit card numbers.
We can also carve within files themselves. Several common file formats are essentially databases, and some are described as a “file system within a file”. As such, deleted records and data can be recovered from such file formats, if necessary.
I recently ran across a fascinating post from TheDFIRJournal recently, regarding file carving encrypted virtual disks. The premise of the post is that some file encryption/ransomware software does not encrypt entire files, just rather just part of it, for the sake of speed. In the case of virtual disks, a partially encrypted file may mean that, while the disk itself is useable, there may be valuable evidence available within the virtual disk file itself.
I should note that I did recently see a ransomware deployment that used a “–mode fast” switch at the command line, possibly indicating that the entire file would not be encrypted, but rather only a specific number of bytes of the file. As such, with larger files, such as virtual disks, WEVT files, etc., there might be an opportunity to recover valuable data, so file and record carving techniques would be valuable, depending upon your specific investigative goals.
The premise raised in the article is not unique; in fact, I’ve run into it before. In 2017, when This article has been indexed from Windows Incident Response