Chapter 1 CONTEXT - BASED FILE BLOCK CLASSIFICATION

In computer forensics, carving is an important trick in the digital investigator’s sleeve. Since files are typically stored as sequences of data blocks, the retrieval process basically consists of locating and appropriately collating together the original blocks of each file. Traditional file carving solutions, generally based on signatures of file headers and footers, could be improved by performing a classification of each data block in the storage media as belonging to a given file type. Unfortunately file block classification techniques tend to be far from perfect in terms of accuracy. For an improvement of the classification results the presence of compound files, i.e. files containing sub-portions that are encoded similarly to a different data type, must be taken into account during the classifier preparation. In this work, we demonstrate that this impacts heavily on the performance of file block classifiers. In addition, to generally improve the accuracy of classification, we propose a context-based classification architecture to improve block-by-block classification schemes, by exploiting the contiguity of file blocks belonging to the same file on storage media. The approach is completely general and can be easily applied to any content-based file block classification algorithm.