Carving tools help you recover deleted files
If the filesystem is not completely destroyed, tools that evaluate the filesystem provide an important alternative to tools such as Foremost and Scalpel. The PhotoRec  recovery tool was developed by Christophe Grenier to rescue photos from corrupt Flash memory. PhotoRec will also work if the partition table is damaged.
Once PhotoRec has identified the filesystem, it extracts an enormous variety of file types. In addition to photo files, PhotoRec also restores EXE or ZIP files.
All told, the tool supports more than 180 file types. The program is controlled by means of a practical text menu, which reduces the danger of user errors. Unfortunately, PhotoRec cannot current analyze RAM dumps or swap files.
File carvers help forensic investigators extract deleted files. Foremost and Scalpel ignore the filesystem and can even restore data from RAM dumps and swap files. Their speed is quite amazing.
If the filesystem still exists, a tool such as PhotoRec is also useful for finding lost files.
- The Coroner's Toolkit: http://www.porcupine.org/forensics/tct.html
- The Sleuth Kit: http://www.sleuthkit.org
- Foremost: http://foremost.sf.net
- Scalpel: http://www.digitalforensicssolutions.com/Scalpel/
- PhotoRec: http://www.cgsecurity.org/wiki/PhotoRec
- FTimes: http://ftimes.sourceforge.net/FTimes/
- Foremost on the Forensics Wiki: http://www.forensicswiki.org/wiki/Foremost
- OCFA, The carve path zero-storage library and filesystem: http://ocfa.sourceforge.net/libcarvpath/
- DFRWS carving challenge: http://www.dfrws.org/2006/challenge/
Buy this article as PDF
New flaw in an old encryption scheme leaves the experts scrambling to disable SSL 3
Lennart Poettering wants to change the way Linux developers talk to each other.
Enterprise giant frees itself from ink and home PCs (and visa versa).
Mozilla’s product think tank sinks silently into history.
TODO group will focus on open source tools in large-scale environments.
New tool will look like GParted but support a wider range of storage technologies.
New public key pinning feature will help prevent man-in-the-middle attacks.
Carnegie Mellon researchers say 3 million pages could fall down the phishing hole in the next year.
The US government rolls new best-practice rules for protecting SSH.