Browse > Article
http://dx.doi.org/10.13089/JKIISC.2019.29.4.835

A Study of Verification Methods for File Carving Tools by Scenario-Based Image Creation  

Kim, Haeni (Information Security Lab, GSI, Yonsei University)
Kim, Jaeuk (Information Security Lab, GSI, Yonsei University)
Kwon, Taekyoung (Information Security Lab, GSI, Yonsei University)
Publication Information
Journal of the Korea Institute of Information Security & Cryptology / v.29, no.4, 2019 , pp. 835-845 More about this Journal
Abstract
File Carving is a technique for attempting to recover a file without metadata, such as a formated storage media or a damaged file system, and generally looks for a specific header / footer signature and data structure of the file. However, file carving is faced with the problem of recovering fragmented files for a long time, and it is very important to propose a solution for digital forensics because important files are relatively fragmented. To overcome these limitations, various carving techniques and tools are continuously being developed, and data sets from various researches and institutions are provided for functional verification. However, existing data sets are ineffective in verifying tools because of their limited environmental conditions. Therefore, this paper refers to the importance of fragmented file carving and develops 16 images for carving tool verification based on scenarios. The developed images' carving rate and accuracy of each media is shown through Foremost which is well known as a commercial carving tool.
Keywords
Forensics; File Carving; Tool Testing; Recovery;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Madril and Abedon, et al. "Metadata recovery in a disk drive." U.S. Patent No. 8,612,706. 17 Dec. 2013.
2 NIST CFTT, "Forensic Image for File Carving Image" https://www.cfreds.nist.gov/FileCarving/index.html, Jun. 2019.
3 Digital Forensics Tool Testing Images, "Digital Forensics Tool Testing Images" http://dftt.sourceforge.net/, Jun. 2019.
4 Digital Corpora, "Real Data Corpus" "http://digitalcorpora.ofg/corpora/disk-images/real-data-corpus, Jun. 2019.
5 Laurenson and Thomas. "Performance analysis of file carving tools." IFIP International Information Security Conference. Springer, Berlin, Heidelberg, 2013.
6 Basic Data Carving Test #1,"Digital Forensics Tool Testing Images" http://dftt.sourceforge.net/test11/index.html, Jun. 2019.
7 DFRWS 2006 Forensics Challenge File Image Layout, "DFRWS2006 Forensics Challenge Data Set" http://old.dfrws.org/2006/challenge/layout.shtml, Jun. 2019.
8 Baseline Carving Data Set, "Carving Data Set" https://github.com/thomaslaurenson/, Jun. 2019.
9 GARFINKEL and Simson L. "Carving contiguous and fragmented files with fast object validation." digital investigation, 4: 2-12. 2007.   DOI
10 Air Force Office of Sepcial Investigations and The Center for Information Systems Security Studies and Research, "Foremost" http://foremost.sourceforge.net/, Jun. 2019.
11 "Scalpel" https://github.com/sleuthkit/scalpel, Jun. 2019.
12 RICHARD III, Golden G.; ROUSSEV, Vassil. "Scalpel: A Frugal, High Performance File Carver." In: DFRWS. 2005.
13 NIKKEL and Bruce J. "Forensic analysis of GPT disks and GUID partition tables", Digital Investigation, 2009, 6. 1-2: 39-47.   DOI
14 GEIER and Florian. "The differences between SSD and HDD technology regarding forensic investigations.", 2015.
15 KLOET, S. J. J., et al. "Measuring and improving the quality of file carving methods.", Almere, Niederlande: Eindhoven University of Technology, 4-79, 2007.
16 CHO and Gyu-Sang. "NTFS Directory Index Analysis for Computer Forensics." In: 2015 9th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing. p. 441-446, IEEE, 2015.
17 WINTER and Robert. "SSD vs HDD-data recovery and destruction.", Network Security, 2013, 2013.3: 12-14.   DOI