Klennet Storage Software

Filesystem awareness in Klennet Carver

A file carver is supposed to be filesystem-agnostic. The carving software is tailored to match file formats, not filesystems. It is not supposed to take any filesystem metadata into account, for the metadata may be missing, damaged, or incorrect.

Klennet Carver, however, has a concept of clusters. Clusters are blocks of several consecutive sectors used in filesystems to reduce management overhead. Klennet Carver does also require cluster sizes to be the power of two.

Working with clusters instead of sectors allows me to improve carving speed because the number of possible combinations to work through decreases significantly. However, there are certain drawbacks:

  • Klennet Carver cannot correctly analyze filesystems in which cluster sizes are not required to be a power of two. I can only think of one, though, namely the original HFS.
  • Complex configurations involving block-based RAID cannot be analyzed directly from disks if filesystem clusters are not aligned with RAID blocks (not sure how useful it can be anyway).
  • On tail-packing filesystems, the tails of files most likely cannot be extracted. Tail-packing filesystems are rare in the wild, though (reiserFS, maybe?).

Filed under: File carving.

Created Wednesday, October 11, 2017

Updated 20 May 2018

Copyright © 2017 - 2024 Alexey V. Gubin