Which of the following techniques is the analyst using?

After examine a header and footer file, a security analyst begins reconstructing files by scanning the raw data bytes of a hard disk and rebuilding them.

Which of the following techniques is the analyst using?
A . Header analysis
B . File carving
C . Metadata analysis
D . Data recovery

View Answer

Answer: B

Explanation:

Three common types of file carving methods are as follows: Header- and footer-based carving, which focuses on headers like those found in JPEG files. For example, JPEGs can be found by looking for xFFxD8 in the header and xFFxD9 in the footer. Content-based carving techniques look for information about the content of a file such as character counts and text recognition. File structure-based carving techniques that use information about the structure of files.

File carving is a technique for recovering files from raw data bytes by scanning and rebuilding them based on their file headers and footers. File headers and footers are sequences of bytes that indicate the beginning and end of a file format, such as JPEG, PDF, ZIP, etc. File carving can be used to reconstruct files that are deleted, corrupted, fragmented, or encrypted by bypassing the file system structure and looking for recognizable patterns in the data3 The analyst used file carving to reconstruct files from a hard disk by scanning the raw data bytes and rebuilding them based on their file headers and footers.

Reference: 3 What Is File Carving? | Forensic Focus