Forensic Carving Tools -Backtrack

fatback

Fatback is a tool which is used to recover deleted files from FAT filesystems. Fatback will read an image of a FAT filesystem, and then outputs all deleted files into a directory determined by the user. This is useful in investigations with Windows machines, since many older Windows installs utilize some form of a FAT filesystem (FAT16, FAT32). Many USB flash drives currently employ some form of a FAT filesystem. The example below takes a FAT filesystem image, outputs the log created by fatback to a directory determined by the user, writes verbosely to the terminal screen, outputs deleted files to a directory determined by the user, and automatically recovers all files the have been deleted.
Example usage: fatback [image] -l [logfile to output] -v -o [output directory] -a

foremost

Foremost is a well known utility that specializes in file carving. It takes image files, such as those created by dd, and will search for file headers in order to recover files. It returns information to the user by outputting files found to a predetermined directory set by the user. The example below outputs JPEG images found in image.img (an image file created by dd) and outputs everything found in /root/Desktop/output/.
Example usage: foremost -v -t jpeg -o /root/Desktop/output/ -i image.img

magicrescue

Magic Rescue is a program that searches a filesystem image for “magic number” bytes, and attempts to recover the files that these magic numbers belong to. Magic numbers are basically several bytes of data that act as a file identifier, giving basic information such as file type. The below example usage uses the jpeg-jfif “recipe” (others are found in /usr/local/share/magicrescue/recipes), meaning it looks for JPEG files based on the JFIF header. The output directory is /root/Desktop/output/, and the image being analyzed in /dev/sdb1, although it can be any filesystem or image file.
Example usage: magicrescue -r jpeg-jfif -d /root/Desktop/output/ /dev/sdb1

recoverjpeg

RecoverJPEG is another utility to recover JPEG images from a filesystem. RecoverJPEG can take input either as a partition (like /dev/sda1) or an image file, like those produced by dd. The below example will recover JPEG images found in the image.img file.
Example usage: recoverjpeg image.img

safecopy

Safecopy is a program used to recover as much data as possible from a damaged device, such as a hard drive or USB drive. Unlike other programs such as dd, cat, or cp, safecopy specializes in damaged devices. Other programs will stop reading data once a damaged area is hit, while Safecopy will read to a point designated by the user, regardless of damaged areas. It does this by identifying the damaged areas, and skipping around them. This example shows how to use Safecopy to recover data on /dev/sdb1, a mounted device that other programs such as cp or dd fail on. It outputs data recovered to /root/Desktop/rescued_files:

Example usage: safecopy /dev/sdb1 /root/Desktop/rescued_files

scalpel

Scalpel is a well known file carving utility that searches a database of known file header and footer signatures, and attempts to carve files from a disk image file. To begin using Scalpel, the scalpel.conf file needs to edited to tell Scalpel which filetypes you are looking for. Example config files can be found here. Just uncomment the lines for each filetype you are searching for. This example uses a configuration file named scalpel.conf, searches the disk image file image.img, and outputs all files carved to /root/Desktop/scalpel_results/

Example usage: scalpel -c scalpel.conf image.img -o /root/Desktop/scalpel_results/

scrounge-ntfs

Scrounge-NTFS is a utility that can be used to recover information from an NTFS partition. Scrounge-NTFS will use information provided by the user in order to rebuild the filesystem tree, which is places on another partition. This program requires you to know the start and end block of the filesystem, but it provides a page to help you guess partition information. The example below uses a cluster size of 8 (the most common, always multiples of 2), sets the output directory to /root/Desktop/output/, reads data from /dev/sda1, starts at sector 63 and ends at sector 81920000, meaning the overall disk has around 40 GB of space.

Example usage: scrounge -c 8 -o /root/Desktop/output/ /dev/sdb1 63 81920000

testdisk

TestDisk is a program that specializes in recovering lost disk partitions, and making disks bootable. It has the ability to rebuild partition tables, rebuild boot sectors, fix the Master File Table (MFT), recover files, and more. The program contains many features, so rather than post a small example usage here, I would suggest looking at their very thorough Step by Step Guide.