Advertisement

Abstract

Fragmented File carving is an important technique in Digital Forensics to recover files from their fragments in the absence of the file system allocation information. In this paper, the fragmented file carving problem is formulated as a graph theoretic problem. Using this model, we describe two algorithms, “Best Path Search” and “High Fragmentation Path Search”, to perform file reconstruction and recovery. The best path search algorithm is a deterministic technique to recover the best file construction path. We show that this technique is more efficient and accurate than existing brute force techniques. In addition, a test was carried out to recover 10 files scattered into their fragments. The best path search algorithm was able to successful recover all of them back to their original state. The high fragmentation path search technique involves a trade-off between the final score of the constructed path of the file and the file recovery time to allow a faster recovery process for highly fragmented files. Analysis show that the accurate eliminations of paths have an accuracy of up to greater than 85%.

Keywords

Optimal Path Directed Edge Brute Force Path Search Triangular Distribution 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Leiserson, C.E.: Introduction to algorithms. MIT Press, Cambridge (2001)zbMATHGoogle Scholar
  2. 2.
    da Gama Leito, H.C., Soltfi, J.: Automatic reassembly of irregular fragments. In: Univ. of Campinas, Tech. Rep. IC-98-06 (1998)Google Scholar
  3. 3.
    da Gama Leito, H.C., Soltfi, J.: A multiscale method for the reassembly of two-dimensional fragmented objects. IEEE Transections on Pattern Analysis and Machine Intelligence 24 (September 2002)Google Scholar
  4. 4.
    Shanmugasundaram, K., Memon, N.: Automatic reassembly of document fragments via context based statistical models. In: Proceedings of the 19th Annual Computer Security Applications Conference, p. 152 (2003)Google Scholar
  5. 5.
    Shanmugasundaram, K., Memon, N.: Automatic reassembly of document fragments via data compression. Presented at the 2nd Digital Forensics Research Workshop, Syracuse (July 2002)Google Scholar
  6. 6.
    Cohen, M.I.: Advanced jpeg carving. In: Proceedings of the 1st International Conference on Forensic Applications and Techniques in Telecommunications, Information, and Multimedia and Workshop, Article No.16 (2008)Google Scholar
  7. 7.
    Cohen, M.I.: Advanced carving techniques. Digital Investigation 4(supplement 1), 2–12 (2007)Google Scholar
  8. 8.
    Memon, N., Pal, A.: Automated reassembly of file fragmented images using greedy algorithms. IEEE Transactions on Image Processing, 385–393 (February 2006)Google Scholar
  9. 9.
    Sablatnig, R., Menard, C.: On finding archaeological fragment assemblies using a bottom-up design. In: Proc. of the 21st Workshop of the Austrain Association for Pattern Recognition Hallstatt, Austria, Oldenburg, Wien, Muenchen, pp. 203–207 (1997)Google Scholar
  10. 10.
    Garfinkel, S.: Carving contiguous and fragmented files with fast object validation. In: Proceedings of the 2007 Digital Forensics Research Workshop, DFRWS, Pittsburgh, PA (August 2007)Google Scholar
  11. 11.
    Martucci, S.A.: Reversible compression of hdtv images using median adaptive prediction and arithmetic coding. In: IEEE International Symposium on Circuits and Systems, pp. 1310–1313 (1990)Google Scholar
  12. 12.
    Kampel, M., Sablatnig, R., Costa, E.: Classification of archaeological fragments using profile primitives. In: Computer Vision, Computer Graphics and Photogrammetry - a Common Viewpoint, Proceedings of the 25th Workshop of the Austrian Association for Pattern Recognition (OAGM), pp. 151–158 (2001)Google Scholar
  13. 13.
    Pal, A., Sencar, H.T., Memon, N.: Detecting file fragmentation point using sequential hypothesis testing. In: Proceedings of the Eighth Annual DFRWS Conference. Digital Investigation, vol. 5(supplement 1), pp. S2–S13 (September 2008)Google Scholar
  14. 14.
    Pal, A., Shanmugasundaram, K., Memon, N.: Automated reassembly of fragmented images. Presented at ICASSP (2003)Google Scholar
  15. 15.
    Stemmer, W.P.: DNA shuffling by random fragmentation and reassembly: in vitro recombination for molecular evolution. Proc. Natl. Acad. Sci. (October 25, 1994)Google Scholar

Copyright information

© ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering 2011

Authors and Affiliations

  • Hwei-Ming Ying
    • 1
  • Vrizlynn L. L. Thing
    • 1
  1. 1.Institute for Infocomm ResearchSingapore

Personalised recommendations