Browse > Article
http://dx.doi.org/10.13089/JKIISC.2019.29.1.77

Study on File Recovery Based on Metadata Accoring to Linux Kernel  

Shin, Yeonghun (Department of Computer Engineering, Ajou University)
Jo, Woo-yeon (Department of Computer Engineering, Ajou University)
Shon, Taeshik (Department of Computer Engineering, Ajou University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.29, no.1, 2019 , pp. 77-91 More about this Journal
Abstract
Recent Linux operating systems having been increasingly used, ranging from automotive consoles, CCTV, IoT devices, and mobile devices to various versions of the kernel. Because these devices can be used as strong evidence in criminal investigations, there is a risk of destroying evidence through file deletion. Ext filesystem forensics has been studied in depth because it can recovery deleted files without depending on the kind of device. However, studies have been carried out without consideration of characteristics of file system which may vary depending on the kernel. This problem can lead to serious situations, such as those that can impair investigative ability and cause doubt of evidence ability, when an actual investigation attempts to analyze a different version of the kernel. Because investigations can be performed on various distribution and kernel versions of Linux file systems at the actual investigation site, analysis of the metadata changes that occur when files are deleted by Linux distribution and kernel versions is required. Therefore, in this paper, we analyze the difference of metadata according to the Linux kernel as a solution to this and recovery deleted file. After that, the investigating agency needs to consider the metadata change caused by the difference of Linux kernel version when performing Ext filesystem forensics.
Keywords
Digital Forensics; Filesystem; Linux; Ext; File Recovery;
Citations & Related Records
Times Cited By KSCI : 1  (Citation Analysis)
연도 인용수 순위
1 Soowoong Eo, Wooyeon Jo, Seokjun Lee, and Taeshik Shon, "A phase of deleted file recovery for digital forensics research in Tizen," 5th IT Convergence and Security (ICITCS), pp. 1-3, Aug. 2015.
2 Dimitrios Kasiaras, Thomas Zafeiropoulos, Nathan Clarke, and Georgios Kambourakis, "Android forensics: Correlation analysis," 9th Internet Technology and Secured Transactions (ICITST), pp. 157-162. Dec. 2014.
3 Qian Li, Xueli Hu, and Hao Wu, "Database management strategy and recovery methods of Android," 5th Software Engineering and Service Science (ICSESS), pp. 727-730, Jun. 2014.
4 Dohyun Kim, Jungheum Park, and Sangjin Lee, "File Carving for Ext4 File System on Android OS," Journal of the Korea Institute of Information Security & Cryptology 23(3), pp. 417-429, Jun. 2013.   DOI
5 Zhi Li, Bin Xi, and Shunxiang Wu, "Digital forensics and analysis for Android devices," 11th Computer Science & Education (ICCSE), pp. 496-500, Aug. 2016.
6 KD Fairbanks, "An analysis of Ext4 for digital forensics," Digital investigation, vol. 9, pp. 118-130, Aug. 2012.   DOI
7 Fahad Alanazi and Andrew Jones, "The Value of Metadata in Digital Forensics," European Intelligence and Security Informatics Conference (EISIC), pp. 182-182, Sep. 2015.
8 Andreas Dewald and Sabine Seufert, "AFEIC: Advanced forensic Ext4 inode carving," Digital Investigation, vol. 20, pp. 83-91, Mar. 2017.   DOI
9 Akshara Ravi, T. Raj Kumar, and Angelo Renju Mathew, "A method for carving fragmented document and image files," Advances in Human Machine Interaction (HMI), pp. 1-6, Mar. 2016.
10 Mohammed Alhussein, Avinash Srinivasan, and Duminda Wijesekera, "Forensics filesystem with cluster-level identifiers for efficient data recovery," Internet Technology And Secured Transactions, pp. 411-415, Dec. 2012.
11 Gianpaolo Macario, Marco Torchiano, and Massimo Violante, "An in-vehicle infotainment software architecture based on google android," 2009 IEEE International Symposium on Industrial Embedded Systems, pp. 257-260, Aug. 2009.
12 Seokjun Lee and Taeshik Shon, "Improved deleted file recovery technique for Ext2/3 filesystem," The Journal of Supercomputing, vol. 70, no. 1, pp. 20-30, Oct. 2014.   DOI