Fast in-Place File Carving for Digital Forensics
نویسندگان
چکیده
Scalpel, a popular open source file recovery tool, performs file carving using the Boyer-Moore string search algorithm to locate headers and footers in a disk image. We show that the time required for file carving may be reduced significantly by employing multi-pattern search algorithms such as the multipattern Boyer-Moore and Aho-Corasick algorithms as well as asynchronous disk reads and multithreading as typically supported on multicore commodity PCs. Using these methods, we are able to do in-place file carving in essentially the time it takes to read the disk whose files are being carved. Since, using our methods, the limiting factor for performance is the disk read time, there is no advantage to using accelerators such as GPUs as has been proposed by others. To further speed in-place file carving, we would need a mechanism to read disk faster.
منابع مشابه
In-Place File Carving
File carving is the process of recovering files from an investigative target, potentially without knowledge of the filesystem structure. Current generation file carvers make complete copies of recovered files. Unfortunately, they often produce a large number of false positives – “junk” files with invalid formats that frequently consume large amounts of disk space. This paper describes an “in-pl...
متن کاملForensic Data Carving
File or data carving is a term used in the field of Cyber forensics. Cyber forensics is the process of acquisition, authentication, analysis and documentation of evidence extracted from and/or contained in a computer system, computer network and digital media. Extracting data (file) out of undifferentiated blocks (raw data) is called as carving. Identifying and recovering files based on analysi...
متن کاملImplementation of Greedy Sequential Unique Path
Digital Forensic Analyst encounters a mixed file fragments in the absence of File Table information i.e., files‟ metadata. File Carving is a process of reconstructing files from mixed file fragments without using files‟ metadata. File Carving is an interesting and challenging problem in digital forensics and Data Recovery. Recently there have been number of research papers in the area of File C...
متن کاملAdvanced File Carving Approaches for Multimedia Files
File carving is a recovery technique that recovers files based on information about their structure and content without matching file system information. As files can be recovered from their content and/or file structure this technique is indispensable during digital forensics investigations. So far many approaches for the recovery of digital images have been proposed. The main contribution of ...
متن کاملScalpel: A Frugal, High Performance File Carver
File carving is an important technique for digital forensics investigation and for simple data recovery. By using a database of headers and footers (essentially, strings of bytes at predictable offsets) for specific file types, file carvers can retrieve files from raw disk images, regardless of the type of filesystem on the disk image. Perhaps more importantly, file carving is possible even if ...
متن کاملذخیره در منابع من
با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید
عنوان ژورنال:
دوره شماره
صفحات -
تاریخ انتشار 2010