In this chapter, we learned about file recovery and data extraction using three readily-available tools within Kali Linux. We first performed file carving using the very impressive Foremost, which searched the entire image for supported file types within the file header and footers. We then did the same using the newer Scalpel, but had to make a slight modification by selecting the file types we wished to carve. Both Foremost and Scalpel presented us with an audit.txt file summarizing the carve list and its details along with subfolders containing the actual evidence. 

Bulk_extractor is a wonderful tool that carves data and also finds useful information such as email addresses, visited URLs, Facebook URLs, credit card numbers, and a variety of other information. Bulk_extractor is great for investigations requiring file recovery and carving, together with either Foremost or Scalpel, or even both.

Now that we've covered file carving and recovery, let's move on to something more analytical. In the next chapter, we'll take a look at exploring RAM and the paging file as part of memory forensics, using the very powerful volatility. See you there!