Understanding Deleted File Decay on Removable Media using Differential Analysis

Digital content created by picture recording devices is often stored internally on the source device, on either embedded or removable media. Such storage media is typically limited in capacity and meant primarily for interim storage of the most recent image files, and these devices are frequently configured to delete older files as necessary to make room for new files. When investigations involve such devices and media, it is sometimes these older deleted files that would be of interest. It is an established fact that deleted file content may persist in part or in its entirety after deletion, and identifying the nature of file fragments on digital media has been an active research area for years. However, very little research has been conducted to understand how and why deleted file content persists ( or decays) on different media and under different circumstances. The research reported here builds upon prior work establishing a methodology for the study of deleted file decay generally, and the application of that methodology to the decay of deleted files on traditional computing systems with spinning magnetic disks. In this current work, we study the decay of deleted image files on a digital camera with removable SD card storage, and we conduct preliminary experiments for direct SD card and USB storage. Our results indicate that deleted file decay is affected by the size of both the deleted and overwriting files, overwrite frequency, sector size, and cluster size. These results have implications for digital forensic investigators seeking to recover and interpret file fragments.

[1]  Drue Coles,et al.  Predicting the types of file fragments , 2008, Digit. Investig..

[2]  Simson L. Garfinkel,et al.  A general strategy for differential forensic analysis , 2012, Digit. Investig..

[3]  Nikolai Joukov,et al.  Secure deletion myths, issues, and solutions , 2006, StorageSS '06.

[4]  Erkam Uzun,et al.  Carving Orphaned JPEG File Fragments , 2015, IEEE Transactions on Information Forensics and Security.

[5]  Jingsha He,et al.  Reconstructing Fragmented YAFFS2 Files for Forensic Analysis , 2015 .

[6]  Vassil Roussev,et al.  File fragment encoding classification - An empirical approach , 2013, Digit. Investig..

[7]  Akshara Ravi,et al.  A method for carving fragmented document and image files , 2016, 2016 International Conference on Advances in Human Machine Interaction (HMI).

[8]  Gerome Miklau,et al.  Threats to privacy in the forensic analysis of database systems , 2007, SIGMOD '07.

[9]  Simson L. Garfinkel,et al.  Using purpose-built functions and block hashes to enable small block and sub-file forensics , 2010, Digit. Investig..

[10]  Simson L. Garfinkel,et al.  Carving contiguous and fragmented files with fast object validation , 2007, Digit. Investig..

[11]  Xinming Ou,et al.  AN EMPIRICAL STUDY ON CURRENT MODELS FOR REASONING ABOUT DIGITAL EVIDENCE , 2015 .

[12]  James H. Jones,et al.  A method and implementation for the empirical study of deleted file persistence in digital devices and media , 2017, 2017 IEEE 7th Annual Computing and Communication Workshop and Conference (CCWC).

[13]  Benjamin Turnbull,et al.  Digital Evidence on Mobile Devices , 2011 .

[14]  Hao Wu,et al.  An automatic reassembly model and algorithm of log file fragments based on graph theory , 2015, 2015 6th IEEE International Conference on Software Engineering and Service Science (ICSESS).

[15]  J. Philip Craiger,et al.  Forensic Analysis of the Sony Playstation Portable , 2009, IFIP Int. Conf. Digital Forensics.

[16]  Michelle Govan Forensic droplets & puddles from the cloud , 2013 .

[17]  Richard Boddington,et al.  Solid State Drives: The Beginning of the End for Current Practice in Digital Forensic Recovery? , 2010 .

[18]  Simson L. Garfinkel,et al.  Hash-based carving: Searching media for complete files and file fragments with sector hashing and hashdb , 2015, Digit. Investig..

[19]  Simson L. Garfinkel,et al.  Column: Factors Affecting Data Decay , 2012, J. Digit. Forensics Secur. Law.

[20]  Dan Farmer,et al.  Forensic Discovery , 2004 .

[21]  Yuanzhang Li,et al.  Descrambling data on solid-state disks by reverse-engineering the firmware , 2015 .

[22]  Junyong Luo,et al.  Forensic Analysis of Document Fragment Based on SVM , 2006, 2006 International Conference on Intelligent Information Hiding and Multimedia.

[23]  Vassil Roussev,et al.  Content triage with similarity digests: The M57 case study , 2012 .