Abstract
Because files are typically stored as sequences of data blocks, the file carving process in digital forensics involves the identification and collocation of the original blocks of files. Current file carving techniques that use the signatures of file headers and footers could be improved by first classifying each data block in the storage media as belonging to a given file type. Unfortunately, file block classification techniques tend to have low accuracy. One reason is that they do not account for compound files that contain subcomponents encoded as different data types. This paper presents a context-based classification approach that accounts for compound files and improves on block-by-block classification schemes by exploiting the contiguity of file blocks belonging to the same file on the storage media.
Chapter PDF
Similar content being viewed by others
References
S. Axelsson, The normalized compression distance as a file fragment classifier, Digital Investigation, vol. 7(S), pp. S24–S31, 2010.
S. Axelsson, Using normalized compression distance for classifying file fragments, Proceedings of the Fifth International Conference on Availability, Reliability and Security, pp. 641–646, 2010.
C. Burges, A tutorial on support vector machines for pattern recognition, Data Mining and Knowledge Discovery, vol. 2(2), pp. 121–167, 1998.
W. Calhoun and D. Coles, Predicting the types of file fragments, Digital Investigation, vol. 5(S), pp. S14–S20, 2008.
S. Garfinkel, Carving contiguous and fragmented files with fast object validation, Digital Investigation, vol. 4(S), pp. S2–S12, 2007.
C. Hsu, C. Chang and C. Lin, A Practical Guide to Support Vector Classification, Technical Report, Department of Computer Science and Information Engineering, National Taiwan University, Taipei, Taiwan, 2003.
M. Karresand and N. Shahmehri, File type identification of data fragments by their binary structure, Proceedings of the IEEE Information Assurance Workshop, pp. 140–147, 2006.
M. Karresand and N. Shahmehri, Oscar – File type identification of binary data in disk clusters and RAM pages, Proceedings of the Twenty-First International Information Security Conference, pp. 413–424, 2006.
A. Pal and N. Memon, The evolution of file carving, IEEE Signal Processing, vol. 26(2), pp. 59–71, 2009.
G. Richard and V. Roussev, Scalpel: A frugal, high performance file carver, Proceedings of the Fifth Digital Forensics Research Workshop, 2005.
V. Roussev and S. Garfinkel, File fragment classification – The case for specialized approaches, Proceedings of the Fourth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering, pp. 3–14, 2009.
L. Sportiello and S. Zanero, File block classification by support vector machines, Proceedings of the Sixth International Conference on Availability, Reliability and Security, pp. 307–312, 2011.
C. Veenman, Statistical disk cluster classification for file carving, Proceedings of the Third IEEE International Symposium on Information Assurance and Security, pp. 393–398, 2007.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 IFIP International Federation for Information Processing
About this paper
Cite this paper
Sportiello, L., Zanero, S. (2012). Context-Based File Block Classification. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics VIII. DigitalForensics 2012. IFIP Advances in Information and Communication Technology, vol 383. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33962-2_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-33962-2_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33961-5
Online ISBN: 978-3-642-33962-2
eBook Packages: Computer ScienceComputer Science (R0)