Advertisement

Analysis of Windows OS’s Fragmented File Carving Techniques: A Systematic Literature Review

  • Noor Ul Ain Ali
  • Waseem IqbalEmail author
  • Narmeen Shafqat
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 800)

Abstract

With the rise in digital crimes nowadays, digital investigators are required to recover and analyse data from various digital resources. Since the files are often stored in fragments owing to memory constraints, the information of the file system and metadata of the file is required to recover the file. However, in cases where the file system is destroyed intentionally or unintentionally, and the metadata is deleted as well, the recovery of the digital evidence is done by a special method known as carving. In file carving, files are recovered solely based on the information about the structure and content of the individual file rather than matching the system’s information of the file. The process of file carving in digital forensics first requires classifying and then arranging the blocks of data that are typically stored as a sequence of bytes in memory. But carving is only possible when the file is not damaged or corrupted otherwise carving is not possible. The aim of this research is to analyse various Windows OS’s file carving techniques used in Digital Forensics particularly for their strengths and weaknesses. This analysis leads to the need of explicitly designed file carvers for different types of files. A novel technique for carving Microsoft’s Word files (a compound format file which is least researched upon) has also been proposed in the document.

Keywords

File carving RAM forensics Compound format File fragmentation Carving 

References

  1. 1.
    Microsoft compound Document file format. Available at: https://msdn.microsoft.com/en-us/library/dd942138.aspx
  2. 2.
    Cohen, M.I.: Advanced carving techniques. Digit. Investig. 4(3–4), 119–128 (2007)CrossRefGoogle Scholar
  3. 3.
    Calhoun, W., Coles, D.: Predicting the type of file fragments, DFRWS USA S14-S20 (2008)Google Scholar
  4. 4.
    Pal, A., Memon, N.D.: The evolution of file carving. IEEE Signal Process. Mag. 26(2), 59–71 (March 2009)CrossRefGoogle Scholar
  5. 5.
    Foremost 1.53 [Online]. Available at: http://foremost.sourceforge.net
  6. 6.
    Nightingale, A.: A guide to systematic literature review. Surgery (Oxford). 27(9), 381–384 (September 2009)CrossRefGoogle Scholar
  7. 7.
    Sportiello, L., Zanero, S.: Context-based file block classification. i-Code: Real Time Malicious Code Identification; and by the EU Seventh Framework Program (FP7/2007–2013)Google Scholar
  8. 8.
    Lin, W., Xia, M.: A Microsoft word documents carving method base on interior virtual streams. Adv. Mater. Res. 433–440, 3028–3032 (2012)CrossRefGoogle Scholar
  9. 9.
    AI-Sadi, A., Yahya, M.B., Almulhem, A.: Identification of image fragments for file carving. In: 2013 World Congress on Internet Security (WorldCIS) (2014)Google Scholar
  10. 10.
    Zha, X., Sahni, S.: Fast in-place file carving for digital forensics. In: Part of International Conference of Forensics in Telecommunications, Information, and Multimedia, pp. 141–158 (2010)Google Scholar
  11. 11.
    Roussev, V., Garfinkel, S.L.: File fragment classification—the case for specialized approaches (10 Jul 2014)Google Scholar
  12. 12.
    Garfinkel, S.: Carving contiguous and fragmented files with fast object validation. In: Proceedings of 2007 Digital Forensics Research Workshop (DFRWS), Pittsburgh, PA, pp. 4S:2–12 (Aug 2007)Google Scholar
  13. 13.
    Roux, B.: Reconstructing textual file fragments using unsupervised machine learning technique. University of New Orleans Theses and Dissertations. 881 (Dec 2008)Google Scholar
  14. 14.
    Poisel, R., Tjoa, S., Tavolato, P.: Advanced file carving approaches for multimedia files. J. Wireless Mob. Networks, Ubiquitous Comput. Dependable Appl. 2(4), 42–58 (2011)Google Scholar
  15. 15.
    Al-Sharif, Z.A., Odeh, D.N., Al-Saleh, M.I.: Towards carving PDF files in main memory. In: Proceedings of International Technology Management Conference (2015)Google Scholar
  16. 16.
    Garfinkel, S.L., McCarrin, M.: Hash based carving: searching media for complete files and file fragments with sector hashing and hash db. Digit. Investig. 14(2015), S95–S105 (2015)CrossRefGoogle Scholar
  17. 17.
    Wagner, J., Rasin, A., Grier, J.: Database forensic analysis through internal structure carving. Digit. Investig. 14(2015), S106eS115 (2015)Google Scholar
  18. 18.
    Walters, A., Petroni, N.L.: Volatools: integrating volatile memory forensics into the digital investigation process. Digit. Investig., Elsevier (2007)Google Scholar
  19. 19.
    Richard, G.G. III, Roussev, V.: Scalpel: a frugal, high performance file carver. In: Proceedings of 2005 Digital Forensics Research Workshop (DFRWS), New Orleans, LA (Aug 2005)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Noor Ul Ain Ali
    • 1
  • Waseem Iqbal
    • 1
    Email author
  • Narmeen Shafqat
    • 1
  1. 1.Department of Information SecurityNational University of Sciences and TechnologyIslamabadPakistan

Personalised recommendations