Although there are smart utilities like the one made by http://digital-assembly.com/, in practice it's good enough to just assume that the file is not fragmented, find the first sector, and take all the sectors till you reach an end-of-file mark, or a predetermined maximum size.
Here is a special forensic image designed to demonstrate data carving. It has only two files of active data, gumbo1 and gumbo2:
Cluster view shows that most of the clusters have been filled with the word SORRY, meaning there is no latent data there to use.
Here is a cluster containing a Gumbo file--the ASCII view shows a recipe. To start carving the slack space for more files, I clicked Tools, "Data Carving":
I specify the header and footer for a JPG file, and the file extension to apply to any files found:
It found 7 JPEG files:
Here are the files it found:
To do the search manually, use a Cluster Search for a Hex value:
That search finds the same seven files:
Here's what a JPEG header looks like in Cluster view:
I can carve using that configuration file:
It takes longer this time:
And it finds the same seven JPEGs, plus four GIFs:
Here are the found files:
This is the report, saved in the same folder as the carved data files:
Now I created a custom configuration file from the evidence drive, finding all file types in use in the active data. The "Create CarveConfig File" option searches the MFT to find all the filetypes in use:
It takes some time:
Here are the file extensions it found:
I checked several file types, including JPG. Here, it's usually best not to search for a footer and to limit the header size.
This takes some time:
Now the config file is ready:
I start the custom configuration file carving:
This process took a long time--way too long. I gave up after 10 or 15 minutes:
It found thousands of files, as shown here:
The total was 70 GB. Obviously I did something wrong. I think the lack of footers made every file very big.
