Copying out unallocated space with blkls, then carve for files

I am going to carve for files in the unallocated space.
For this I first want to copy out the unallocated space using blkls, then use C# to read the outputed text file and search for file signatures (start and stop signatures for example pictures).

My problem is that with the command blkls a extremly large fil is produced (several gb).

cd C:\Users\user\sleuth_kit\win32
blkls -o 1187840 myimage.001 > unallocated_1187840.blkls

I read in the manual that you could give start and stop. But I guess a image could go over several blocks? Any toughts on how this problem could be achieved?

The blkls command as you are using it just concatenated unallocated blocks into a single stream. By nature, the data within the stream is/can be fragmented. Therefore, your carver will have to look for both file footers, and absent those, stop carving at a predefined size.

If you don’t want to store the unallocated data as a file because of space limitations or you won’t be using it again, consider piping the data from blkls to your carving tool. In that way, you will only be storing the carved picture files, and not all of the unallocated space. This would work with a tool like scalpel and foremost, but not with photorec, I think.

If your carving tool is photorec, then it is capable of reading file systems and EWF image formats. Just point photorec at your image, no need to export unallocated. The benefit here, besides not having to first export unallocated, is that the file names for the carved files will reflect the volume block (or is it sector, I don’t recall) from which the file was carved.