Complex carving overview
Difference between filesystem recovery, simple carving, and complex carving
There are several types of data recovery tools dealing with files and filesystems:
-
Filesystem recovery tools.
This class includes all the general-purpose recovery software out there.
Filesystem recovery tools do unformat and undelete, producing valid or close to valid directory trees and file names.
Examples: ZAR, ReclaiMe, R-Studio.
-
Simple carving tools.
Simple carving tools look for file headers (to identify file starts)
and footers (to identify where the file ends)
without considering any filesystem metadata.
The algorithm is straightforward, fast, and easy to implement.
Standalone examples of this class are few and far between.
Mostly, the simple carving is integrated into general-purpose recovery software.
ZAR implements a simple header-footer carving for its' free image recovery mode
-
Complex carving tools.
Complex carving tools look to reconstruct valid files by looking at the file content in various ways.
The algorithms involved are by far more complex than a simple header-footer scan.
Aside from the Klennet Carver, another notable example is CnW recovery.
The significant difference between carving and traditional filesystem-based recovery (like what ZAR does) is this:
-
Traditional file recovery knows the format of the filesystem being recovered.
A filesystem recovery tool is made to understand specific filesystems (like FAT or NTFS).
It knows nothing about what is inside the files.
-
A carving tool, on the contrary, is made to understand specific file formats (like JPEG or ZIP).
It knows nothing about what is outside the files, about the filesystem and its metadata.
This difference allows carving tools to work even when damage to the filesystem is outside the design parameters
for filesystem recovery or when the filesystem is damaged so severely that filesystem-based recovery is impossible.
Now, there is more difference - between simple and complex carving algorithms
-
Simple carving only works for contiguous files.
Simple carving only recovers files that are stored contiguously on the media.
If the file is split into two or more fragments, which happens quite often, only the first part of the file is recovered.
For an image file like JPEG, this results in an image where only the top part is visible,
and the bottom part is either blank or distorted.
-
Complex carving works for fragmented files.
When the file is split into several fragments, a complex carving tool employs various methods to find the second fragment
and then merge fragments into a valid file. For some files, the process might involve the reconstruction of headers or similar
activities.
Benefits of complex carving
Complex carving recovers fragmented files, which are not recoverable by any other method.
- On a typical camera memory card, Klennet Carver recovers more files, usually 10% to 20% more;
- High-resolution images benefit more from complex carving than low-resolution thumbnails.
Disadvantages of complex carving
Obviously, while indispensable in some cases, the complex carving is not a silver bullet:
-
No file names - neither simple nor complex carving algorithms produce file names or folder structure.
-
Some files cannot be recovered by any method because part of the data is not there.
If part of the file data is overwritten, this part cannot be recovered.
If the file is in several fragments, and some fragment in the middle is overwritten,
typically nothing past that destroyed fragment cannot be recovered.
-
Complex carving is very CPU-intensive. Even small media require a long time to process.
-
Fragment merging algorithms are not perfect.
This may sometimes result in the wrong parts of the images being merged together.