Visualisation of allocated and unallocated data blocks in digital forensics
暂无分享,去创建一个
The ability to visualise blocks within file systems as allocated or unallocated is part of many existing forensic tools, for example the ‘Disk’ view in EnCase. However, analysis of the file system or partitioning of a disk is only one level of analysis that can occur as part of a digital investigation. Analysis of the structure within individual files can also be useful, however, there are limited examples of visualising file based data structures. This paper provides a discussion of the development of a prototype visualisation tool that could be used for examining application or operating system files that themselves contain allocated and unallocated blocks. An example is provided that visualises the Windows Registry and demonstrates how a visualisation could assist in identifying areas that are unallocated and therefore may contain deleted data of interest. This approach has potential applications in teaching the binary structure of files and also for data recovery in situations where code exists to process the live data from a file format, but data carving strategies for that format have not yet been developed.
[1] Timothy D. Morgan. Recovering deleted data from the Windows registry , 2008 .
[2] Murilo Tito Pereira. Forensic analysis of the Firefox 3 Internet history and recovery of deleted SQLite records , 2009, Digit. Investig..
[3] Gregory J. Conti,et al. Visual Reverse Engineering of Binary and Data Files , 2008, VizSEC.
[4] Brian D. Carrier,et al. File System Forensic Analysis , 2005 .
[5] Raffael Marty,et al. Applied Security Visualization , 2008 .