Towards an Engineering Approach to File Carver Construction

File carving is the process of recovering files without the help of (file system) storage metadata. A host of techniques exist to perform file carving, often used in several tools in varying combinations and implementations. This makes it difficult to determine what tool to use in specific investigations or when recovering files in a specific file format. We define recoverability as the set of software requirements for a file carver to recover files in a specified file format. This set can then be used to evaluate what tool to use or which technique to implement, based on external factors such as file format to recover, available time, engineering capacity and data set characteristics. File carving techniques are divided into two groups, format validation and file reconstruction. These groups refer to different parts of a file carver´s implementation. Additionally, some techniques may be emphasized or omitted not only because of file format support for them, but based on performance effects that may result from applying them. We discuss a simplified variant of the GIF image file format as an example and show how a structured analysis of the format leads to design decisions for a file carver.