Research Article
Statistical Disk Cluster Classification for File Carving
@INPROCEEDINGS{10.1109/IAS.2007.75, author={Cor J. Veenman}, title={Statistical Disk Cluster Classification for File Carving}, proceedings={1st International ICST Workshop on Computational Forensics}, publisher={IEEE}, proceedings_a={IWCF}, year={2007}, month={9}, keywords={Biometrics Computer science Computer security File systems Forensics Information security Intelligent systems Out of order Pattern recognition Statistics}, doi={10.1109/IAS.2007.75} }- Cor J. Veenman
Year: 2007
Statistical Disk Cluster Classification for File Carving
IWCF
IEEE
DOI: 10.1109/IAS.2007.75
Abstract
File carving is the process of recovering files from a disk without the help of a file system. In forensics, it is a helpful tool in finding hidden or recently removed disk content. Known signatures in file headers and footers are especially useful in carving such files out, that is, from header until footer. However, this approach assumes that file clusters remain in order. In case of file fragmentation, file clusters can be disconnected and the order can even be disrupted such that straighforward carving will fail. In this paper, we focus on methods for classifying clusters into file types by using the statistics of the clusters. By not exploiting the possible embedded signatures, we generate evidence from a different source that can be integrated later on. We propose a set of characteristic features and use statistical pattern recognition to learn a supervised classification model for a range of relevant file types. We exploit the statistics of a restricted number of neighboring clusters (context) to improve classification performance. In the experiments we show that the proposed features indeed enable the differentation of clusters into file types. Moreover, for some file types the incorporation of cluster context improves the recognition performance significantly.
