File Carving & Recovery
File carving is the process of recovering files from raw data (disk images, memory dumps, or corrupted files) without relying on file system metadata. In CTFs, this is useful for:
- Recovering deleted files
- Extracting files from memory or disk dumps
- Analyzing partially corrupted archives
Key concept: Carving relies on file signatures/magic bytes and structure, not file tables.
- Extract data using
foremost:foremost -i disk_image.img -o recovered/ - Extract data using
binwalk:binwalk -e mystery_file - Extract data using
dd:dd if=disk_image.img of=recovered_file.bin bs=1 skip=1024 count=1024
| Tool | Purpose |
|---|---|
foremost |
Carves files from raw data by signature |
binwalk |
Extracts embedded files in images, firmware, etc. |
dd |
Extract raw sections from disk or memory dumps |
hexdump / xxd |
Inspect raw bytes |
| ImHex / 010 Editor | Hex editors to edit files |
Foremost is a signature-based carving tool. Example:
foremost -i disk_image.img -o recovered/
-i: input file (raw disk, memory dump, or corrupted file)-o: output directory- Default configuration can carve common file types (jpg, png, gif, pdf, zip, etc.)
Binwalk can be used to extract files and data that have been embedded inside of other files. Example:
binwalk -e mystery_file
-e: extract embedded files automatically- Check output folder for newly recovered files
Sometimes files don’t match a standard signature or need precise extraction.
Example: Extract bytes 1024–2047 from disk_image.img
dd if=disk_image.img of=recovered_file.bin bs=1 skip=1024 count=1024
if: input fileof: output filebs: block sizeskip: number of blocks to skipcount: number of blocks to copy
Use hexdump to verify the header before and after extraction.
Sometimes the file headers are corrupt or invalid. To fix the headers, a hex editor like ImHex or 010 Editor can be used to edit the files.
A list of file headers can be found on Wikipedia