Browse > Article
http://dx.doi.org/10.3745/KTCCS.2016.5.12.463

A Study to Improve Recovery Ratio of Deleted File Using the Parsing Algorithm of the HFS + Journal File  

Bang, Seung Gyu (고려대학교 정보보호대학원 정보보호학과)
Jeon, Sang Jun (고려대학교 정보보호대학원 정보보호학과)
Kim, Do Hyun (고려대학교 정보보호대학원 정보보호학과)
Lee, Sang Jin (고려대학교 정보보호대학원)
Publication Information
KIPS Transactions on Computer and Communication Systems / v.5, no.12, 2016 , pp. 463-470 More about this Journal
Abstract
With the growing demand for MAC-based system, the need for digital forensic techniques of these system has been increasing. In the digital forensic analysis process, sometimes analysts have recovered the deleted files when they prove the allegations if system user try to remove the evidence deliberately. Research and analysis that recover the deleted files from a file system constantly been made and HFS+ that is a file system of MAC-based system also has been researched. Carving techniques primarily has been used to recover the deleted file from HFS+ a file system because metadata of folder or file overwrite metadata of a deleted file when file is deleted from a file system on HFS+ characteristic. But if the file content is saved by separated state in a file system, Carving techniques also can't recover the whole or a part of the deleted file. In this paper we describe technique the deleted file recovery technique using HFS+ file system a journal. This technique that is suggested by existing research and analysis result is the technique that recover the deleted file by metadata that is maintained in a journal on HFS+ file system. but this technique excludes specific files and this problem needs to be reformed. In this paper we suggest algorithm that analysis a journal of HFS+ file system in detail. And we demonstrate that the deleted file cat be recovered from the extracted metadata by this algorithm without the excluded file.
Keywords
HFS+; HFS+ Journal; File Recovery; File System; Digital Forensic;
Citations & Related Records
연도 인용수 순위
  • Reference
1 Z. Kai, C. En, and G. Qinquan, "Analysis and implementation of NTFS file system based on computer forensics," Education Technology and Computer Science (ETCS), Vol.1, pp.325-328, 2010.
2 Byeongyeong Yoo, et al, "A Study on a Carving Method for Deleted NTFS Compressed Files," Human-Centric Computing (HumanCom), 2010 3rd International Conference on. IEEE, pp.1-6, 2010.
3 R. A. Joyce, J. Powers, and F. Adelstein, "MEGA: A tool for Mac OS X operating system and application forensics," Digital Investigation, Vol.5, pp.S83-S90, 2008.   DOI
4 A. Case and G. G. Richard, "Advancing Mac OS X rootkit detection," Digital Investigation, Vol.14, pp.S25-S33, 2015.   DOI
5 A. Burghardt and A. J. Feldman, "Using the HFS+ journal for deleted file recovery," Digital Investigation, Vol.5, pp.S76-S82, 2008.   DOI
6 HFS+ Deleted File Recovery EnScript [Internet], https://www.kazamiya.net/en/HFSJournalParser.
7 Apple [Internet], https://developer.apple.com/legacy/library/technotes/tn/tn1150.html.
8 Apple [Internet], hfs_format.h, http://opensource.apple.com//source/xnu/xnu-1456.1.26/bsd/hfs/hfs_format.h.
9 D. Comer, "Ubiquitous B-tree," ACM Computing Surveys (CSUR), Vol.11, No.2, pp.121-137, 1979.   DOI
10 Adobe Systems Incorporated, Document management - Portable document format - Part 1: PDF 1.7, Adobe Systems Incorporated, 2008.
11 iOS forensic tools [Internet], https://code.google.com/p/iphone-dataprotection/wiki/HFSJournalCarving.