A Comprehensive Literature Review of File Carving

File carving is a recovery technique allowing file recovery without knowledge about contextual information such as file system metadata. Due to recent advancements in research, file carving has become an essential technique for both general data recovery and digital forensics investigations. During the last few years a considerable amount of publications has been published on the topic of file carving. Out of around 130 publications in this field we selected 70 key papers with major contributions to the topic in order to identify potential fields of future research activities. The first contribution of this paper is a survey on state-of-the-art literature supporting researchers and practitioners in gaining a comprehensive view on the progress in file carving research. In addition to that, the second major contribution of this paper is a (preliminary) file carving ontology. The purpose of the ontology presented within this paper is to push forward recovery approaches that are based on knowledge bases processible by computer systems.

[1]  Yoginder S. Dandass,et al.  An Empirical Analysis of Disk Sector Hashes for Data Carving , 2008, J. Digit. Forensic Pract..

[2]  Stefano Zanero,et al.  File Block Classification by Support Vector Machine , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[3]  Doris L. Carver,et al.  Weaving ontologies to support digital forensic analysis , 2009, 2009 IEEE International Conference on Intelligence and Security Informatics.

[4]  Simson L. Garfinkel,et al.  Using purpose-built functions and block hashes to enable small block and sub-file forensics , 2010, Digit. Investig..

[5]  Ann Devitt,et al.  Constructing Bayesian Networks Automatically using Ontologies , 2006 .

[6]  Simon Tjoa,et al.  Advanced File Carving Approaches for Multimedia Files , 2011, J. Wirel. Mob. Networks Ubiquitous Comput. Dependable Appl..

[7]  Roy H. Campbell,et al.  Characterizing Data Structures for Volatile Forensics , 2011, 2011 Sixth IEEE International Workshop on Systematic Approaches to Digital Forensic Engineering.

[8]  Simson L. Garfinkel,et al.  Carving contiguous and fragmented files with fast object validation , 2007, Digit. Investig..

[9]  Sergey Bratus,et al.  Automated mapping of large binary objects using primitive fragment type classification , 2010, Digit. Investig..

[10]  David Billard,et al.  Making sense of unstructured flash-memory dumps , 2010, SAC '10.

[11]  Tijs van der Storm,et al.  Domain-Specific Optimization in Digital Forensics , 2012, ICMT@TOOLS.

[12]  Xuxian Jiang,et al.  SigGraph: Brute Force Scanning of Kernel Data Structure Instances Using Graph-based Signatures , 2011, NDSS.

[13]  Simson L. Garfinkel,et al.  Automating Disk Forensic Processing with SleuthKit, XML and Python , 2009, 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering.

[14]  N. Weir,et al.  Measuring and Improving the Quality of Care , 2004, Practical Neurology.

[15]  Jeroen van den Bos,et al.  Towards an Engineering Approach to File Carver Construction , 2011, 2011 IEEE 35th Annual Computer Software and Applications Conference Workshops.

[16]  Golden G. Richard,et al.  Scalpel: A Frugal, High Performance File Carver , 2005, DFRWS.

[17]  Abhilash Sajja Forensic Reconstruction of Fragmented Variable Bitrate MP3 files , 2010 .

[18]  N. Memon,et al.  The evolution of file carving , 2009, IEEE Signal Processing Magazine.

[19]  Simon Tjoa,et al.  Forensics Investigations of Multimedia Data: A Review of the State-of-the-Art , 2011, 2011 Sixth International Conference on IT Security Incident Management and IT Forensics.

[20]  Johan Garcia,et al.  Retention of micro-fragments in cluster slack - A first model , 2009, 2009 First IEEE International Workshop on Information Forensics and Security (WIFS).

[21]  Nasir Memon,et al.  Identification and recovery of JPEG files with missing fragments , 2009, Digit. Investig..

[22]  Cor J. Veenman Statistical Disk Cluster Classification for File Carving , 2007, Third International Symposium on Information Assurance and Security.

[23]  Mohsen Toorani,et al.  A new approach to content-based file type detection , 2008, 2008 IEEE Symposium on Computers and Communications.

[25]  Vrizlynn L. L. Thing,et al.  Design of a Digital Forensics Evidence Reconstruction System for Complex and Obscure Fragmented File Carving , 2011, 2011 Seventh International Conference on Computational Intelligence and Security.

[26]  Andrew Benedict Lewis,et al.  Reconstructing compressed photo and video data , 2012 .

[27]  Vrizlynn L. L. Thing,et al.  A Novel Inequality-Based Fragmented File Carving Technique , 2010, e-Forensics.

[28]  Thomas J. Holt Crime On-line: Correlates, Causes, and Context , 2010 .

[29]  Michael I. Cohen Advanced carving techniques , 2007, Digit. Investig..

[30]  Hyunjung Shin,et al.  Fast file-type identification , 2010, SAC '10.

[31]  Bhavani Thuraisingham,et al.  Bin-Carver: Automatic recovery of binary executable files , 2012, Digit. Investig..

[32]  Tijs van der Storm,et al.  Bringing domain-specific languages to digital forensics , 2011, ICSE.

[33]  Nasir D. Memon,et al.  Automated reassembly of file fragmented images using greedy algorithms , 2006, IEEE Transactions on Image Processing.

[34]  Chao Wu,et al.  Discovering Semantic Data of Interest from Un-mappable Memory with Confidence , 2012, NDSS.

[35]  Golden G. Richard,et al.  In-Place File Carving , 2007, IFIP Int. Conf. Digital Forensics.

[36]  Sjouke Mauw,et al.  mCarve: Carving Attributed Dump Sets , 2011, USENIX Security Symposium.

[37]  Martin Karresand Completing the Picture Fragments and Back Again , 2008 .

[38]  Mohammad Hossain Heydari,et al.  Content based file type detection algorithms , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[39]  Simon Tjoa,et al.  Roadmap to Approaches for Carving of Fragmented Multimedia Files , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[40]  Tijs van der Storm,et al.  Domain-Specific Languages for Better Forensic Software , 2012, ERCIM News.

[41]  Robert F. Erbacher,et al.  SÁDI - Statistical Analysis for Data Type Identification , 2008, 2008 Third International Workshop on Systematic Approaches to Digital Forensic Engineering.

[42]  Brian D. Carrier,et al.  File System Forensic Analysis , 2005 .

[43]  Sergey Bratus,et al.  A Visual Study of Primitive Binary Fragment Types , 2010 .

[44]  Thijs Holleboom,et al.  Fragment retention characteristics in slack space — Analysis and measurements , 2010, 2010 2nd International Workshop on Security and Communication Networks (IWSCN).

[45]  Issa Traoré,et al.  Method ontology for intelligent network forensics analysis , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[46]  Nasir Memon,et al.  Automatic Reassembly of Document Fragments via Data Compression , 2002 .

[47]  Nasir D. Memon,et al.  Automated reassembly of fragmented images , 2003, 2003 International Conference on Multimedia and Expo. ICME '03. Proceedings (Cat. No.03TH8698).

[48]  James R. Beniger The Control Revolution: Technological and Economic Origins of the Information Society , 1986 .

[49]  Qiming Li,et al.  Searching and Extracting Digital Image Evidence , 2013 .

[50]  A. Debons,et al.  The control revolution: Technological and economic origins of the information society , 1990, J. Am. Soc. Inf. Sci..

[51]  Simson L. Garfinkel,et al.  File Fragment Classification-The Case for Specialized Approaches , 2009, 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering.

[52]  Stefan Axelsson Using Normalized Compression Distance for Classifying File Fragments , 2010, 2010 International Conference on Availability, Reliability and Security.

[53]  Ye Xu,et al.  An adaptive method to identify disk cluster size based on block content , 2010, Digit. Investig..

[54]  Drue Coles,et al.  Predicting the types of file fragments , 2008, Digit. Investig..

[55]  Nahid Shahmehri,et al.  Oscar - File Type Identification of Binary Data in Disk Clusters and RAM Pages , 2006, SEC.

[56]  N. F. Noy,et al.  Ontology Development 101: A Guide to Creating Your First Ontology , 2001 .

[57]  Nasir D. Memon,et al.  Automatic reassembly of document fragments via context based statistical models , 2003, 19th Annual Computer Security Applications Conference, 2003. Proceedings..

[58]  Ke Wang,et al.  Fileprints: identifying file types by n-gram analysis , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[59]  Stefano Zanero,et al.  Context-Based File Block Classification , 2012, IFIP Int. Conf. Digital Forensics.

[61]  Husrev T. Sencar,et al.  Detecting file fragmentation point using sequential hypothesis testing , 2008, Digit. Investig..

[62]  Simson L. Garfinkel,et al.  Digital forensics research: The next 10 years , 2010, Digit. Investig..

[63]  M. Chatterjee,et al.  Secure E-Commerce Protocol for Purchase of e-Goods - Using Smart Card , 2007 .

[64]  Michael I. Cohen,et al.  Advanced JPEG carving , 2008, e-Forensics '08.

[65]  Felix C. Freiling,et al.  The Forensic Image Generator Generator (Forensig2) , 2009, 2009 Fifth International Conference on IT Security Incident Management and IT Forensics.