Decision-theoretic file carving

Gladyshev, Pavel; James, Joshua I.

doi:10.1016/j.diin.2017.08.001

Cited by 12 publications

(11 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…An approach developed by Gladyshev and James [ 13 ] uses probabilistic sampling and priorisation in the context of file carving, an automated process for reducing the amount of data to be subjected to analysis. The approach will speed up file carving for forensics triage by processing data blocks that are more likely to contain relevant data when investigators are looking for files of a particular kind.…”

Section: The Digital Forensics Environmentmentioning

confidence: 99%

See 1 more Smart Citation

Interpol review of digital evidence 2016 - 2019

Reedy¹

2020

Forensic Science International: Synergy

View full text Add to dashboard Cite

show abstract

Section: The Digital Forensics Environmentmentioning

confidence: 99%

“…Carving times are reduced by skipping the areas on the disk that are unlikely to contain relevant data. The technique is most useful when applied in a triage situation [ 13 ].…”

Section: The Digital Forensics Environmentmentioning

confidence: 99%

Interpol review of digital evidence 2016 - 2019

Reedy¹

2020

Forensic Science International: Synergy

View full text Add to dashboard Cite

show abstract

“…Depending on whether utilizing the file system metadata, existing file recovery approaches can be divided into two categories: Metadata-based file recovery (MFR) (Dewald & Seufert, 2017;Fairbanks, 2012;Jo et al, 2018;Kim et al, 2021;Lee et al, 2020;Lee & Shon, 2014) and carving-based file recovery (CFR) (Garfinkel, 2007;Garfinkel & McCarrin, 2015;Gladyshev & James, 2017;Golden & Vassil, 2005;Hand et al, 2012;Pal et al, 2003;Pal et al, 2008;Tang et al, 2016). MFR is fast and accurate because it can leverage file system metadata to interpret user data.…”

Section: Introductionmentioning

confidence: 99%

“…Different from MFR, CFR does not rely on metadata. It leverages syntactic signatures (e.g., file header-footer pairs) (Tang et al, 2016), semantic structures (e.g., explicit control flow paths within a binary executable) (Hand et al, 2012), heuristic technologies (Garfinkel & McCarrin, 2015;Gladyshev & James, 2017;Pal et al, 2008), timestamps (Nordvik et al, 2020;Portera et al, 2021) or deep learning technologies (Heo et al, 2019;Mohammad & Alqahtani, 2019) to restore files. Unlike MFR, which can precisely recover a file under the "direct guidance" of metadata, CFR "indirectly infers" which data blocks belong to the file to be recovered.…”

Section: Introductionmentioning

confidence: 99%

Golden Eye

Zhang

Chen

Zhu

2022

International Journal of Digital Crime and Forensics

View full text Add to dashboard Cite

File systems are important sources of intelligence information and digital evidence. They have long attracted the interest of researchers in recovering files that are deleted from a hard disk. Existing file recovery studies rely heavily on an operating system (OS). However, it is often encountered that OS services are not available, making existing file recovery approaches unusable. To address this issue, the authors design and implement an OS-independent file recovery algorithm named Golden Eye (GE) by targeting the EXT4 file system. Fed the raw image obtained from a (sanitized) hard disk, GE can automatically recover any designated file or even the whole EXT4 file system. GE is based on the understanding of the file disk layout of EXT4 and does not need any support from additional hardware or software. Experimental results prove the feasibility and correctness of GE. This work not only solves the OS dependency problem that most existing file recovery work suffers from but also reveals the fact that even sanitized hard disks are still at risk of leaking sensitive data.

show abstract

“…Much of the research in this area aims to reduce the amount of data the investigator is required to examine via triage techniques, or by filtering the data in some way so as to give the investigator an indication of where to focus their searches. Gladyshev and James (2017) implemented decision theoretic carving (DECA) which fulfils both a filtering and a triage role. This work is designed to allow an investigator to rapidly retrieve JPEG images from the disk.…”

Section: Introductionmentioning

confidence: 99%

Insight: An Application of Information Visualisation Techniques to Digital Forensics Investigations

Hales¹,

Ferguson²,

Archibald³

2017

IJCSA

View full text Add to dashboard Cite

As digital devices are becoming ever more ubiquitous in our day to day lives, more of our personal information and behavioural patterns are recorded on these devices. The volume of data held on these devices is substantial, and people investigating these datasets are facing growing backlog as a result. This is worsened by the fact that many software tools used in this area are text based and do not lend themselves to rapid processing by humans.This body of work looks at several case studies in which these datasets were visualised in attempt to expedite processing by humans. A number of different 2D and 3D visualisation methods were trialled, and the results from these case studies fed into the design of a final tool which was tested with the assistance of a group of individuals studying Digital Forensics.The results of this research show some encouraging results which indicate visualisation may assist analysis in some aspects, and indicates useful paths for future work.

show abstract

Decision-theoretic file carving

Cited by 12 publications

References 12 publications

Interpol review of digital evidence 2016 - 2019

Interpol review of digital evidence 2016 - 2019

Golden Eye

Insight: An Application of Information Visualisation Techniques to Digital Forensics Investigations

Contact Info

Product

Resources

About