Analysis and Implementation of Signature Based Method and Structure File Based Method for File Carving
File Carving is a data recovery technique based on file structure and content without relying on filesystem information or metadata. The problem in carving files is its high false positive value especially when the file is fragmented (either linear fragmented or non-linear fragmented). The aim of this study is to implement and analyze the performance of two file carving method (Signature Based and File Structure Based) as a solution to the problem of the carving process. By focusing on JPEG, GIF and PNG files, two datasets are used, namely: CFReDS Project (NIST Project) and Basic Data Carving Test (Nick Mikus Project). The analysis is based on the recovery performance (carving recall, supported recall, carving precision), execution time, and memory usage. From the recovery performance parameter, the File Structure Based method gets a higher overall value than the Signature Based method. However, based on the execution time performance parameter, the Signature Based method has better execution time and use fewer resources compared to the File Structure Based method.
A. Dewald, M. Luft and J. Suleder, "Incident Analysis and Forensics in Docker Environments.," ERNW WHITE PAPER 64, 2018.
R. Ali, K. Mohamad, S. Jamel and S. Khalid, "A review of digital forensics methods for JPEG file carving," Journal of Theoretical and Applied Information Technology, vol. 96 , no. 17, p. 5841, 2018.
N. Alherbawi, Z. Shukur and R. Sulaiman, "A survey on data carving in digital forensic," Asian Journal of Information Technology, vol. 15, no. (24), pp. 5137-5144, 2016.
E. Alshammary and A. Hadi, "Reviewing and evaluating existing file carving techniques for jpeg files," in Cybersecurity and Cyberforensics Conference (CCC), 2016.
K. Mohamad, T. Herawan and M. Deris, "Dual-byte-marker algorithm for detecting JFIF header," in International Conference on Information Security and Assurance, Springer, Berlin, Heidelberg, 2010.
N. Abdullah, R. Ibrahim and K. Mohamad, "Carving thumbnail/s and embedded JPEG files using image pattern matching," Journal of Software Engineering and Applications , vol. 6 (3B), p. 62, 2013.
K. Mohamad and M. Deris, "Fragmentation point detection of JPEG images at DHT using validator.," in International Conference on Future Generation Information Technology, Springer, Berlin, Heidelberg, 2009.
G. Richard and V. Roussev, "Scalpel: A Frugal, High Performance File Carver," in The Digital Forensic Research Conference, New Orleans, LA, 2005.
X. Zha and S. Sahni, "Fast in-place file carving for digital forensics," in International Conference on Forensics in Telecommunications, Information, and Multimedia , Springer, Berlin, Heidelberg, 2010.
K. Mohamad, A. Patel, T. Herawan and M. Deris, "myKarve: JPEG image and thumbnail carver," Journal of Digital Forensic Practice, vol. 3, no. (2-4), pp. 74-97, 2010.
N. Mikus, "Basic Data Carving Test #1," Source Forge, 14 March 2005. [Online]. Available: http://dftt.sourceforge.net/test11/index.html. [Accessed June 2020].
NIST, "Forensic Images for File Carving," NIST, 19 October 2019. [Online]. Available: https://www.cfreds.nist.gov/FileCarving/index.html. [Accessed June 2020].
T. Laurenson, " Performance analysis of file carving tools," in IFIP International Information Security Conference , Springer, Berlin, Heidelberg, 2013.
J. De Bock and P. De Smet, "JPGcarve: an advanced tool for automated recovery of fragmented JPEG files," IEEE transactions on Information Forensics and Security, vol. 11, no. (1), pp. 19-34, 2015.
Copyright (c) 2021 Anjar Afrizal, Niken Dwi Wahyu Cahyani, Erwid Musthofa Jadied
This work is licensed under a Creative Commons Attribution 4.0 International License.
- Manuscript submitted to IndoJC has to be an original work of the author(s), contains no element of plagiarism, and has never been published or is not being considered for publication in other journals.
- Copyright on any article is retained by the author(s). Regarding copyright transfers please see below.
- Authors grant IndoJC a license to publish the article and identify itself as the original publisher.
- Authors grant IndoJC commercial rights to produce hardcopy volumes of the journal for sale to libraries and individuals.
- Authors grant any third party the right to use the article freely as long as its original authors and citation details are identified.
- The article and any associated published material is distributed under the Creative Commons Attribution 4.0License