In this video, we are going to cover file carving, introducing unallocated and slack disk space and how to extract and identify deleted files. Then we are going to cover the Windows Recycle Bin and a tool to examine it, Rifiuti2.We are then going to show how to use foremost and other file carving tools to automatically recover deleted files and Bulk Extractor to retrieve a lot of information scanning the disk image at a raw level.

• The first step is an overview of the file carving process, introducing concepts like unallocated disk space and file slack space and the theory behind the identification of deleted files. Then it covers how to examine the Recycle Bin with Rifiuti2
• The second step covers how to recover a deleted file with TSK and then some automated file carving tools such as Foremost, Scalpel and Photorec
• The final step covers the Bulk Extractor tool that allows to extract many information from the raw disk image, bypassing the filesystem