Research Article
On Achieving Encrypted File Recovery
@INPROCEEDINGS{10.1007/978-3-642-23602-0_1, author={Xiaodong Lin and Chenxi Zhang and Theodora Dule}, title={On Achieving Encrypted File Recovery}, proceedings={Forensics in Telecommunications, Information, and Multimedia. Third International ICST Conference, e-Forensics 2010, Shanghai, China, November 11-12, 2010, Revised Selected Papers}, proceedings_a={E-FORENSICS}, year={2012}, month={10}, keywords={Data Recovery File Carving Computer Forensics Security Block Cipher Encryption/Decryption}, doi={10.1007/978-3-642-23602-0_1} }- Xiaodong Lin
Chenxi Zhang
Theodora Dule
Year: 2012
On Achieving Encrypted File Recovery
E-FORENSICS
Springer
DOI: 10.1007/978-3-642-23602-0_1
Abstract
As digital devices become more prevalent in our society, evidence relating to crimes will be more frequently found on digital devices. Computer forensics is becoming a vital tool required by law enforcement for providing data recovery of key evidence. File carving is a powerful approach for recovering data especially when file system metadata information is unavailable. Many file carving approaches have been proposed, but cannot directly apply to encrypted file recovery. In this paper, we first identify the problem of encrypted file recovery, and then propose an effective method for encrypted file recovery through recognizing the encryption algorithm and mode in use. We classify encryption modes into two categories. For each category, we introduce a corresponding mechanism for file recovery, and also propose an algorithm to recognize the encryption algorithm and mode. Finally, we theoretically analyze the accuracy rate of recognizing an entire encrypted file in terms of file types.