Abstract
The widespread use of digital technologies
increases the size of data stored in digital media. The increased amount of
stored data also brings along data security risks. One of the most important
risks in personal data security is the unauthorized or accidental data
deletion. There are file recovery and carving software for recovering deleted
files from the storage devices. Files must be loaded into RAM to be used in the
operating system. These files are stored in RAM for a certain amount of time by
the memory manager. Therefore, a file opened or deleted by the user in the
operating system can be found in the RAM. File carving techniques must be
applied to RAM to access these files.
In this study, the file carving and the performance
values of the multimedia files carved by using different signature structures
with file carving software from the RAM image were compared. In the study,
carving has been performed with the header and footer signatures of the used
and terminated multimedia files (JPG, PNG, GIF, BMP) used in Windows 10
operating system. In the carving process, file carving durations and carving
success rates are extracted using different signature structures of the same
file type. In the light of these results, the performance data of multimedia
file types are evaluated according to the signature structures used. The RAM
image retrieval and file carving software used in the study has been developed
by us as a part of the Ph.D. project.
References
- [1] Law, Frank Y.W., K.P. Chow, Michael Y.K. Kwan, and Pierre K.Y. Lai., “Consistency Issue on Live Systems Forensics”, IEEE Future Generation Communication and Networking (FGCN): 136–40, (2007).
- [2] (KJ) Kuchta and Kelly J., “Forensic Methodologies: A Computer Forensic Professional’s Compass!”, Information Systems Security 10(6): 42–49, (2002).
- [3] Zanoni, M., Perin, F., Fontana, F. A., and Viscusi, G., “Pattern detection for conceptual schema recovery in data-intensive systems”, Journal of Software: Evolution and Process, 26(12), 1172–1192, (2014). [4] Povar, D., and Bhadran, V. K., “Forensic data carving. In Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, 53:137–148, (2011). https://doi.org/10.1007/978-3-642-19513-6_12
- [5] Al-sharif Z. A, Bagci H and Asad A., “Towards the Memory Forensics of MS Word Documents”, Information Technology - New Generations, 558: 179–85, (2018). doi:10.1007/978-3-319-54978-1.
- [6] Burdach, M., “Digital forensics of the physical memory” Journal of the National Cancer Institute. Monographs, 2013(47): (2013). https://doi.org/10.1093/jncimonographs/lgt036
- [7] Hejazi, S. M., Talhi, C., and Debbabi, M., “Extraction of forensically sensitive information from windows physical memory”, Digital Investigation, 6(SUPPL.), (2009). https://doi.org/10.1016/j.diin.2009.06.003
- [8] Quina GN, Diaz J, Park SGY and Piccirilli D., “Data restoration and file carving [Restauración de datos y el File Carving]” Iber Conf Inf Syst Technol Cist, (2017). doi:10.23919/CISTI.2017.7976035.XXX
- [9] Vömel, S., and Freiling, F. C., “A survey of main memory acquisition and analysis techniques for the windows operating system” Digital Investigation,8:3-22,(2011). https://doi.org/10.1016/j.diin.2011.06.002
- [10] Bui, S., Enyeart, M., and Luong, J., “Issues in Computer Forensics”, Santa Clara University Computer Retrieved from http://www.cse.scu.edu/~jholliday/COEN150sp03/projects/Forensic Investigation.pdf, (2003).
- [11] van Baar, R. B., Alink, W., and van Ballegooij, A. R., “ Forensic memory analysis: Files mapped in memory”, Digital Investigation, 5(SUPPL.), 5:S52-S57, (2008). https://doi.org/10.1016/j.diin.2008.05.014
- [12] Garcia, G. L., “Forensic physical memory analysis: an overview of tools and techniques”, In TKK T-110.5290 Seminar on Network Security, 207:305–320, (2007).
Abstract
The widespread use of digital technologies
increases the size of data stored in digital media. The increased amount of
stored data also brings along data security risks. One of the most important
risks in personal data security is the unauthorized or accidental data
deletion. There are file recovery and carving software for recovering deleted
files from the storage devices. Files must be loaded into RAM to be used in the
operating system. These files are stored in RAM for a certain amount of time by
the memory manager. Therefore, a file opened or deleted by the user in the
operating system can be found in the RAM. File carving techniques must be
applied to RAM to access these files.
In this study, the file carving and the performance
values of the multimedia files carved by using different signature structures
with file carving software from the RAM image were compared. In the study,
carving has been performed with the header and footer signatures of the used
and terminated multimedia files (JPG, PNG, GIF, BMP) used in Windows 10
operating system. In the carving process, file carving durations and carving
success rates are extracted using different signature structures of the same
file type. In the light of these results, the performance data of multimedia
file types are evaluated according to the signature structures used. The RAM
image retrieval and file carving software used in the study has been developed
by us as a part of the Ph.D. project.
References
- [1] Law, Frank Y.W., K.P. Chow, Michael Y.K. Kwan, and Pierre K.Y. Lai., “Consistency Issue on Live Systems Forensics”, IEEE Future Generation Communication and Networking (FGCN): 136–40, (2007).
- [2] (KJ) Kuchta and Kelly J., “Forensic Methodologies: A Computer Forensic Professional’s Compass!”, Information Systems Security 10(6): 42–49, (2002).
- [3] Zanoni, M., Perin, F., Fontana, F. A., and Viscusi, G., “Pattern detection for conceptual schema recovery in data-intensive systems”, Journal of Software: Evolution and Process, 26(12), 1172–1192, (2014). [4] Povar, D., and Bhadran, V. K., “Forensic data carving. In Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, 53:137–148, (2011). https://doi.org/10.1007/978-3-642-19513-6_12
- [5] Al-sharif Z. A, Bagci H and Asad A., “Towards the Memory Forensics of MS Word Documents”, Information Technology - New Generations, 558: 179–85, (2018). doi:10.1007/978-3-319-54978-1.
- [6] Burdach, M., “Digital forensics of the physical memory” Journal of the National Cancer Institute. Monographs, 2013(47): (2013). https://doi.org/10.1093/jncimonographs/lgt036
- [7] Hejazi, S. M., Talhi, C., and Debbabi, M., “Extraction of forensically sensitive information from windows physical memory”, Digital Investigation, 6(SUPPL.), (2009). https://doi.org/10.1016/j.diin.2009.06.003
- [8] Quina GN, Diaz J, Park SGY and Piccirilli D., “Data restoration and file carving [Restauración de datos y el File Carving]” Iber Conf Inf Syst Technol Cist, (2017). doi:10.23919/CISTI.2017.7976035.XXX
- [9] Vömel, S., and Freiling, F. C., “A survey of main memory acquisition and analysis techniques for the windows operating system” Digital Investigation,8:3-22,(2011). https://doi.org/10.1016/j.diin.2011.06.002
- [10] Bui, S., Enyeart, M., and Luong, J., “Issues in Computer Forensics”, Santa Clara University Computer Retrieved from http://www.cse.scu.edu/~jholliday/COEN150sp03/projects/Forensic Investigation.pdf, (2003).
- [11] van Baar, R. B., Alink, W., and van Ballegooij, A. R., “ Forensic memory analysis: Files mapped in memory”, Digital Investigation, 5(SUPPL.), 5:S52-S57, (2008). https://doi.org/10.1016/j.diin.2008.05.014
- [12] Garcia, G. L., “Forensic physical memory analysis: an overview of tools and techniques”, In TKK T-110.5290 Seminar on Network Security, 207:305–320, (2007).
Details
| Primary Language | English |
|---|---|
| Subjects | Engineering |
| Journal Section | Research Article |
| Authors | |
| Publication Date | September 1, 2018 |
| Submission Date | February 19, 2018 |
| Published in Issue | Year 2018 Volume: 21 Issue: 3 |
Cite
This work is licensed under Creative Commons Attribution-ShareAlike 4.0 International.