Research Article
A Novel Inequality-Based Fragmented File Carving Technique
@INPROCEEDINGS{10.1007/978-3-642-23602-0_3, author={Hwei-Ming Ying and Vrizlynn Thing}, title={A Novel Inequality-Based Fragmented File Carving Technique}, proceedings={Forensics in Telecommunications, Information, and Multimedia. Third International ICST Conference, e-Forensics 2010, Shanghai, China, November 11-12, 2010, Revised Selected Papers}, proceedings_a={E-FORENSICS}, year={2012}, month={10}, keywords={}, doi={10.1007/978-3-642-23602-0_3} }- Hwei-Ming Ying
Vrizlynn Thing
Year: 2012
A Novel Inequality-Based Fragmented File Carving Technique
E-FORENSICS
Springer
DOI: 10.1007/978-3-642-23602-0_3
Abstract
Fragmented File carving is an important technique in Digital Forensics to recover files from their fragments in the absence of the file system allocation information. In this paper, the fragmented file carving problem is formulated as a graph theoretic problem. Using this model, we describe two algorithms, “Best Path Search” and “High Fragmentation Path Search”, to perform file reconstruction and recovery. The best path search algorithm is a deterministic technique to recover the best file construction path. We show that this technique is more efficient and accurate than existing brute force techniques. In addition, a test was carried out to recover 10 files scattered into their fragments. The best path search algorithm was able to successful recover all of them back to their original state. The high fragmentation path search technique involves a trade-off between the final score of the constructed path of the file and the file recovery time to allow a faster recovery process for highly fragmented files. Analysis show that the accurate eliminations of paths have an accuracy of up to greater than 85%.