Research Article
Fast in-Place File Carving for Digital Forensics
@INPROCEEDINGS{10.1007/978-3-642-23602-0_13, author={Xinyan Zha and Sartaj Sahni}, title={Fast in-Place File Carving for Digital Forensics}, proceedings={Forensics in Telecommunications, Information, and Multimedia. Third International ICST Conference, e-Forensics 2010, Shanghai, China, November 11-12, 2010, Revised Selected Papers}, proceedings_a={E-FORENSICS}, year={2012}, month={10}, keywords={Digital forensics Scalpel Aho-Corasick multipattern Boyer- Moore multicore computing asynchronous disk read}, doi={10.1007/978-3-642-23602-0_13} }- Xinyan Zha
Sartaj Sahni
Year: 2012
Fast in-Place File Carving for Digital Forensics
E-FORENSICS
Springer
DOI: 10.1007/978-3-642-23602-0_13
Abstract
Scalpel, a popular open source file recovery tool, performs file carving using the Boyer-Moore string search algorithm to locate headers and footers in a disk image. We show that the time required for file carving may be reduced significantly by employing multi-pattern search algorithms such as the multipattern Boyer-Moore and Aho-Corasick algorithms as well as asynchronous disk reads and multithreading as typically supported on multicore commodity PCs. Using these methods, we are able to do in-place file carving in essentially the time it takes to read the disk whose files are being carved. Since, using our methods, the limiting factor for performance is the disk read time, there is no advantage to using accelerators such as GPUs as has been proposed by others. To further speed in-place file carving, we would need a mechanism to read disk faster.