The Evolution of File Carving [ The benefits and problems of forensics recovery ] [

Y ear by year, the number of computers and other digital devices being used is increasing. The recent Pew Research Center Globalization Review [1] showed that 26 of the 36 countries surveyed had increased their computer usage. This increase is occurring simultaneously with an increase in usage of other digital devices, such as cell phones. In fact, in the United States alone 81% of the population now owns a cell phone, which is a 20% increase compared to 2002. Some countries , including Russia, have shown upwards of a 50% increase in cell phone ownership. Computers are now one of many devices where digital data is stored. Devices such as cell phones, music players, and digital cameras all now have some form of internal storage or else allow data to be stored to external devices like flash cards, memory sticks, and solid-state devices (SSDs). With this huge increase in digital data storage, the need to recover data due to human error, device malfunction, or deliberate sabotage has also increased. Data recovery is a key component of the disaster recovery, forensics, and e-discovery markets. Digital data recovery can consist of both software and hardware techniques. Hardware techniques are often used to extract data from corrupted or physically damaged disks. Once the data has been extracted, software recovery techniques are often required to order and make sense of the data. In this article, we will be solely discussing software techniques for recovery of data with a focus on digital forensics. We will begin by providing a quick overview of traditional data recovery techniques and then describe the problems involved with such techniques. We then introduce the techniques involved in file carving.

[1]  Edsger W. Dijkstra,et al.  A note on two problems in connexion with graphs , 1959, Numerische Mathematik.

[2]  Ke Wang,et al.  Fileprints: identifying file types by n-gram analysis , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[3]  Simson L. Garfinkel,et al.  Carving contiguous and fragmented files with fast object validation , 2007, Digit. Investig..

[4]  Nahid Shahmehri,et al.  Oscar - File Type Identification of Binary Data in Disk Clusters and RAM Pages , 2006, SEC.

[5]  N. Shahmehri,et al.  File Type Identification of Data Fragments by Their Binary Structure , 2006, 2006 IEEE Information Assurance Workshop.

[6]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[7]  Salvatore J. Stolfo,et al.  Anomalous Payload-Based Network Intrusion Detection , 2004, RAID.

[8]  Nasir Memon,et al.  Automatic Reassembly of Document Fragments via Data Compression , 2002 .

[9]  Husrev T. Sencar,et al.  Detecting file fragmentation point using sequential hypothesis testing , 2008, Digit. Investig..

[10]  Nasir D. Memon,et al.  Automated reassembly of file fragmented images using greedy algorithms , 2006, IEEE Transactions on Image Processing.

[11]  Mohammad Hossain Heydari,et al.  Content based file type detection algorithms , 2003, 36th Annual Hawaii International Conference on System Sciences, 2003. Proceedings of the.

[12]  Brian D. Carrier,et al.  File System Forensic Analysis , 2005 .

[13]  J. Andel Sequential Analysis , 2022, The SAGE Encyclopedia of Research Design.

[14]  Golden G. Richard,et al.  Scalpel: A Frugal, High Performance File Carver , 2005, DFRWS.

[15]  Steve R. Kleiman,et al.  Extent-like Performance from a UNIX File System , 1991, USENIX Winter.

[16]  Wei Hu,et al.  Scalability in the XFS File System , 1996, USENIX Annual Technical Conference.

[17]  Cor J. Veenman Statistical Disk Cluster Classification for File Carving , 2007, Third International Symposium on Information Assurance and Security.