Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Week 5 - Anti-Forensics Technique-2

Lab 4: SSD File Carving

Overview of the Lab

Jessica, a forensic investigator, is supposed to perform file carving on a forensic image file of an SSD acquired from a Windows filesystem. Law enforcement agents acquired the image from the machine of a suspect who is accused of performing nefarious activities. Now, the forensic

Lab Objectives

  • Understand how to perform SSD file carving on a Windows file system.
  • Understand how the TRIM functionality influences data recovery on an SSD.
  • Learn how to recover data from a Windows file system on an SSD when the TRIM functionality is disabled.

Tools Required

  • Autopsy tool for Windows
  • Forensic image files: all the images should be available in your CyberLab shared folder. Downloading the following could take some time.

PLEASE make sure to delete the image after you finish your lab to ensure there is enough space available on the machine for future use. Thanks.

How File Carving Works on SSDs

File carving on SSDs can be challenging due to the TRIM function. TRIM is a command that allows the operating system to inform the SSD which blocks of data are no longer considered in use and can be wiped internally. When TRIM is enabled, it can make data recovery difficult because the SSD may erase the data blocks, making it impossible to recover deleted files. However, if TRIM is disabled, the data blocks are not immediately erased, allowing for potential recovery of deleted files through file carving. Read more

What is File Carving?

File carving is a forensic technique used to recover files from unallocated space on a storage device without relying on file system metadata. It involves searching for file headers, footers, and other structures to reconstruct files that have been deleted or corrupted.

Steps to Perform SSD File Carving

Task A: Recover Data from TRIM-enabled SSD Drive

  1. Open Autopsy software.
  2. In the Welcome window, click New Case.
  3. In the New Case Information window, provide the Case Name as SSD File Carving (Windows, TRIM enabled) and select the Base Directory where the case data will be stored. Click Next.
  4. Create a new folder (e.g., Image File Analysis) on the Desktop and save the case data in that folder. Click Browse to select this folder as the Base Directory and click Next.
  5. In the Optional Information section, provide the Case Number (e.g., w9) and Examiner Details. Click Finish.
  6. After the case is created, the Add Data Source window appears. Ensure that the Disk Image or VM File option is selected and click Next.
  7. In the Select Data Source section, click Browse and navigate to the lab folder\Task6. Select the file Windows_Evidence_SSD_TE.dd and click Open.
  8. In the Configure Ingest Modules section, select the options as required or leave them set to default. Click Next.
  9. Wait for Autopsy to analyse the image file. Once the analysis is complete, click the image file name (Windows_Evidence_SSD_TE.dd) to view its contents.
  10. Expand the image node to view its contents.
  11. Note that the tool does not carve any files from the TRIM-enabled SSD image file, demonstrating that file carving is not possible when TRIM is enabled.
  12. Close all windows related to Autopsy.

Task B: Recover Data from TRIM-disabled SSD Drive

  1. Re-launch Autopsy and repeat steps 2 to 7 from Task A, but with a different case number and image file.
  2. In the Open window, navigate to your folder\Task6, select the image Windows_Evidence_SSD_TD.dd and click Open.
  3. Continue with the default settings as explained above.
  4. Expand the Data Sources node in the left pane. The Data Sources option is the name of the image file (Windows_Evidence_SSD_TD.dd).
  5. Click the image file name (Windows_Evidence_SSD_TD.dd) to view its contents.
  6. Wait for the tool to load the Carved Files folder. It takes about 10–15 minutes.
  7. Double-click the Carved Files folder in the right pane to view the carved files.
  8. Note that carved files can also be found under the Deleted Files option. Expand the Deleted Files node, select All, and scroll down to locate the carved files.
  9. To view the content of a carved file, select the file. Its content will be displayed in the lower pane of the tool window. You can export the file by right-clicking on it and selecting Export/Save.

Note: macOS enables TRIM by default for Apple SSDs. For third-party SSDs, TRIM is disabled by default but can be manually enabled.

More tools:

Ali Jaddoa.

Copyright © 2026 • Created by Ali Jaddoa

Page last updated: Wednesday 11 February 2026 @ 11:12:30 | Commit: 3219b15