Analysis and Implementation of Signature Based Method and Structure File Based Method for File Carving

Anjar Afrizal; Niken Dwi Wahyu Cahyani; Erwid Musthofa Jadied

doi:10.34818/INDOJC.2021.6.1.457

Anjar Afrizal Telkom University
Niken Dwi Wahyu Cahyani Telkom University
Erwid Musthofa Jadied Telkom University

https://doi.org/10.34818/INDOJC.2021.6.1.457

Abstract views: 460 ,

62 downloads: 301

Keywords: file craving

Abstract

File Carving is a data recovery technique based on file structure and content without relying on filesystem information or metadata. The problem in carving files is its high false positive value especially when the file is fragmented (either linear fragmented or non-linear fragmented). The aim of this study is to implement and analyze the performance of two file carving method (Signature Based and File Structure Based) as a solution to the problem of the carving process. By focusing on JPEG, GIF and PNG files, two datasets are used, namely: CFReDS Project (NIST Project) and Basic Data Carving Test (Nick Mikus Project). The analysis is based on the recovery performance (carving recall, supported recall, carving precision), execution time, and memory usage. From the recovery performance parameter, the File Structure Based method gets a higher overall value than the Signature Based method. However, based on the execution time performance parameter, the Signature Based method has better execution time and use fewer resources compared to the File Structure Based method.

Downloads

Download data is not yet available.

References

A. Dewald, M. Luft and J. Suleder, "Incident Analysis and Forensics in Docker Environments.," ERNW WHITE PAPER 64, 2018.

R. Ali, K. Mohamad, S. Jamel and S. Khalid, "A review of digital forensics methods for JPEG file carving," Journal of Theoretical and Applied Information Technology, vol. 96 , no. 17, p. 5841, 2018.

N. Alherbawi, Z. Shukur and R. Sulaiman, "A survey on data carving in digital forensic," Asian Journal of Information Technology, vol. 15, no. (24), pp. 5137-5144, 2016.

E. Alshammary and A. Hadi, "Reviewing and evaluating existing file carving techniques for jpeg files," in Cybersecurity and Cyberforensics Conference (CCC), 2016.

K. Mohamad, T. Herawan and M. Deris, "Dual-byte-marker algorithm for detecting JFIF header," in International Conference on Information Security and Assurance, Springer, Berlin, Heidelberg, 2010.

N. Abdullah, R. Ibrahim and K. Mohamad, "Carving thumbnail/s and embedded JPEG files using image pattern matching," Journal of Software Engineering and Applications , vol. 6 (3B), p. 62, 2013.

K. Mohamad and M. Deris, "Fragmentation point detection of JPEG images at DHT using validator.," in International Conference on Future Generation Information Technology, Springer, Berlin, Heidelberg, 2009.

G. Richard and V. Roussev, "Scalpel: A Frugal, High Performance File Carver," in The Digital Forensic Research Conference, New Orleans, LA, 2005.

X. Zha and S. Sahni, "Fast in-place file carving for digital forensics," in International Conference on Forensics in Telecommunications, Information, and Multimedia , Springer, Berlin, Heidelberg, 2010.

K. Mohamad, A. Patel, T. Herawan and M. Deris, "myKarve: JPEG image and thumbnail carver," Journal of Digital Forensic Practice, vol. 3, no. (2-4), pp. 74-97, 2010.

N. Mikus, "Basic Data Carving Test #1," Source Forge, 14 March 2005. [Online]. Available: http://dftt.sourceforge.net/test11/index.html. [Accessed June 2020].

NIST, "Forensic Images for File Carving," NIST, 19 October 2019. [Online]. Available: https://www.cfreds.nist.gov/FileCarving/index.html. [Accessed June 2020].

T. Laurenson, " Performance analysis of file carving tools," in IFIP International Information Security Conference , Springer, Berlin, Heidelberg, 2013.

J. De Bock and P. De Smet, "JPGcarve: an advanced tool for automated recovery of fragmented JPEG files," IEEE transactions on Information Forensics and Security, vol. 11, no. (1), pp. 19-34, 2015.