DOCSLIB.ORG

Accelerating Digital Forensic Searching Through Gpgpu Parallel Processing Techniques

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

ACCELERATING DIGITAL FORENSIC SEARCHING THROUGH GPGPU PARALLEL PROCESSING TECHNIQUES A thesis submitted for the degree of Doctor of Philosophy (PhD) by Ethan Bayne School of Design and Informatics, Abertay University. February 2017 Declaration Candidate’s declarations: I, Ethan Bayne, hereby certify that this thesis submitted in partial fulfilment of the requirements for the award of Doctor of Philosophy (PhD), Abertay University, is wholly my own work unless otherwise referenced or acknowledged. This work has not been submitted for any other qualification at any other academic institution. Signed ……………………………………………………………………… Date…………………………………………………………………………. Supervisor’s declaration: I, Robert Ian Ferguson, hereby certify that the candidate has fulfilled the conditions of the Resolution and Regulations appropriate for the degree of Doctor of Philosophy (PhD) in Abertay University and that the candidate is qualified to submit this thesis in application for that degree. Signed ……………………………………………………………………… Date…………………………………………………………………………. Certificate of Approval I certify that this is a true and accurate version of the thesis approved by the examiners, and that all relevant ordinance regulations have been fulfilled. Supervisor…………………………………………………………………. Date………………………………………………………………………… ii Dedication I would like to thank my supervisors – Dr Robert Ian Ferguson and Dr Adam Sampson – for the countless conversations around the different aspects of this research. Their timely encouragement and suggestions have aided in achieving successes beyond anything we expected at the beginning of this investigation. A notable mention goes to Dr Lynsay Shepherd and Dr Gavin Hales. Their friendship (and “bants”) in the department against the dark arts office has kept me sane for the duration of my PhD studies. This work is dedicated to my mum and dad for their continued love and support, without it, this research would have been impossible to accomplish. I would also like to thank my wife – Cecilia – for her continued patience and encouragement. Without her emotional support and supply of caffeine at home, I would not have had the same motivation to succeed in my research. iii ABSTRACT Background String searching within a large corpus of data is a critical component of digital forensic (DF) analysis techniques such as file carving. The continuing increase in capacity of consumer storage devices requires similar improvements to the performance of string searching techniques employed by DF tools used to analyse forensic data. As string searching is a trivially-parallelisable problem, general purpose graphic processing unit (GPGPU) approaches are a natural fit. Currently, only some of the research in employing GPGPU programming has been transferred to the field of DF, of which, a closed-source GPGPU framework was used— Complete Unified Device Architecture (CUDA). Findings from these earlier studies have found that local storage devices from which forensic data are read present an insurmountable performance bottleneck. Aim This research hypothesises that modern storage devices no longer present a performance bottleneck to the currently used processing techniques of the field, and proposes that an open-standards GPGPU framework solution – Open Computing Language (OpenCL) – would be better suited to accelerate file carving with wider compatibility across an array of modern GPGPU hardware. This research further hypothesises that a modern multi-string searching algorithm may be better adapted to fulfil the requirements of DF investigation. Methods This research presents a review of existing research and tools used to perform file carving and acknowledges related work within the field. To test the hypothesis, parallel iv file carving software was created using C# and OpenCL, employing both a traditional string searching algorithm and a modern multi-string searching algorithm to conduct an analysis of forensic data. A set of case studies that demonstrate and evaluate potential benefits of adopting various methods in conducting string searching on forensic data are given. This research concludes with a final case study which evaluates the performance to perform file carving with the best-proposed string searching solution and compares the result with an existing file carving tool— Foremost. Results The results demonstrated from the research establish that utilising the parallelised OpenCL and Parallel Failureless Aho-Corasick (PFAC) algorithm solution demonstrates significantly greater processing improvements from the use of a single, and multiple, GPUs on modern hardware. In comparison to CPU approaches, GPGPU processing models were observed to minimised the amount of time required to search for greater amounts of patterns. Results also showed that employing PFAC also delivers significant performance increases over the BM algorithm. The method employed to read data from storage devices was also seen to have a significant effect on the time required to perform string searching and file carving. Conclusions Empirical testing shows that the proposed string searching method is believed to be more efficient than the widely-adopted Boyer-Moore algorithms when applied to string searching and performing file carving. The developed OpenCL GPGPU processing framework was found to be more efficient than CPU counterparts when searching for greater amounts of patterns within data. This research also refutes claims that file carving is solely limited by the performance of the storage device, and presents compelling evidence that performance is bound by the combination of the performance of the storage device and processing technique employed. v TABLE OF CONTENTS Declaration ........................................................................................................................................... ii Certificate of Approval .......................................................................................................................... ii Dedication............................................................................................................................................ iii ABSTRACT ............................................................................................................................................ iv List of Figures ........................................................................................................................................ x List of Tables ........................................................................................................................................ xii Definitions .......................................................................................................................................... xiii Chapter 1: INTRODUCTION ............................................................................................................ 1 1.1 Motivation .................................................................................................................................. 1 1.2 Problem ...................................................................................................................................... 2 1.3 Thesis aim ................................................................................................................................... 3 1.4 Thesis contribution ..................................................................................................................... 4 1.5 Thesis organisation ..................................................................................................................... 5 Chapter 2: BACKGROUND .............................................................................................................. 7 2.1 A historic perspective on the current state of digital forensics .................................................. 7 2.2 An introduction to the concepts of file carving ........................................................................ 11 2.3 Introduction to string searching algorithms ............................................................................. 13 2.4 Differences between CPU and GPU architecture ..................................................................... 15 2.5 Understanding OpenCL and GPGPU processing ....................................................................... 19 2.6 Related work ............................................................................................................................. 23 2.7 Chapter summary ..................................................................................................................... 27 Chapter 3: SOLUTION CONSTRUCTION AND TESTING METHODOLOGY........................................ 28 3.1 Research platform development .............................................................................................. 28 3.1.1 Technologies used ............................................................................................................ 29 vi 3.1.2 Research platform design ................................................................................................ 30 3.1.3 Research platform implementation ................................................................................. 33 3.1.4 Research platform testing ................................................................................................ 37 3.2 Algorithm choices for data analysis .........................................................................................
Recommended publications
  • BG4 White Paper

    BG4 White Paper

    Delivering Improved Performance and Power Efficiency with Next-Generation BG4 Series Client NVMe™ SSDs Advanced BG4 Series SSD Capabilities in Comparison to the BG3 Series Introduction KIOXIA introduced its fourth generation of single package ball grid array (BGA) solid-state drives (SSDs), called the BG4 Series, at the Consumer Electronics Show 2019. This new series of client NVMe™ SSDs utilize the company’s latest 96-layer BiCS FLASH™ 3D technology and is designed to fuel the future of mobile computing and IoT devices. The BG4 Series delivers better performance and larger maximum capacities than previous NVMe SSDs in this product category1, and represents one of the smallest removable drives currently available. BG4 Series SSDs include flash memory and a new controller in one encompassing 16mm x 20mm package, enabling larger amounts of flash memory to be added to smaller and thinner devices while extending battery life to improve the mobile experience. Similar to previous generations, the BG4 Series leverages the Host Memory Buffer (HMB) feature to maintain high-performance without the use of integrated DRAM (Figure 1). The feature uses a portion of host memory to manage flash memory within an SSD, and delivers similar performance as SSDs with DRAM when the feature is turned on. This cost-effective DRAM-less design has resulted in one of the world’s thinnest SSDs that delivers a heightened mobile user experience at a fraction of the power requirement when compared to other NVMe-based SSDs. DRAM DRAM CPU command CPU command PCH data PCH data HMB PCIe PCIe SSD SSD SSD Controller DRAM SSD Controller LUT LUT NAND NAND Figure 1 depicts a traditional client SSD and one with Host Memory Buffer (HMB) architecture Advanced BG4 Series SSD Capabilities in Comparison to the BG3 Series When compared to its predecessor (the BG3 Series), the BG4 Series delivers significantly faster random read performance and twice the capacity using less power.
  • Forensic Toolkit (FTK)

    Forensic Toolkit (FTK)

    Forensic Toolkit (FTK) User Guide | 1 AccessData Legal and Contact Information Document date: January 31, 2018 Legal Information ©2018 AccessData Group, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. AccessData Group, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, AccessData Group, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, Inc. reserves the right to make changes to any and all parts of AccessData software, at any time, without any obligation to notify any person or entity of such changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. AccessData Group, Inc. 588 West 400 South Suite 350 Lindon, UT 84042 USA AccessData Trademarks and Copyright Information The following are either registered trademarks or trademarks of AccessData Group, Inc. All other trademarks are the property of their respective owners. AccessData® AD Summation® Mobile Phone Examiner Plus® AccessData Certified Examiner® (ACE®) Discovery Cracker® MPE+ Velocitor™ AD AccessData™ Distributed Network Attack® Password Recovery Toolkit® AD eDiscovery® DNA® PRTK® AD RTK™ Forensic Toolkit® (FTK®) Registry Viewer® LawDrop® Summation® | 2 A trademark symbol (®, ™, etc.) denotes an AccessData Group, Inc.
  • Improving the Efficiency of Big Forensic Data Analysis Using Nosql

    Improving the Efficiency of Big Forensic Data Analysis Using Nosql

    Improving the Efficiency of Big Forensic Data Analysis Using NoSQL Md Baitul Al Sadi Hayden Wimmer Lei Chen Kai Wang Department of Information Department of Information Department of Information Department of Computer Technology Technology Technology Science Georgia Southern University Georgia Southern University Georgia Southern University Georgia Southern University Statesboro, GA 30458, USA Statesboro, GA 30458, USA Statesboro, GA 30458, USA Statesboro, GA 30458, USA [email protected] [email protected] [email protected] [email protected] them in NoSQL (Not Only SQL) database. There is a variety of ABSTRACT tools available including Autopsy, EnCase, Foremost, FTK, The rapid growth of Internet of Things (IoT) makes the task for Registry Recon, PTK Forensics, The Sleuth Kit, The Coroner's digital forensic more difficult. At the same time, the data analyzing Toolkit, COFEE etc. to extract data from IoT devices. The technology is also developing in a feasible pace. Where traditional extracted data will be in an unstructured format, hence NoSQL is Structured Query Language (SQL) is not adequate to analyze the the best solution to analyze them. Here the document-oriented data in an unstructured and semi-structured format, Not only database program, MongoDB has been chosen to analyze the data Standard Query Language (NoSQL) unfastens the access to from Internet of Things (IoT). To our best knowledge this is pioneer analyzing the data of all format. The large volume of data of IoTs work in terms of using NoSQL and MongoDB for DF. turns into Big Data which just do not enhance the probability of attaining of evidence of an incident but make the investigation 2 BACKGROUND process more complex.
  • Performance of Android Forensics Data Recovery Tools

    Performance of Android Forensics Data Recovery Tools

    This is author accepted copy; for final version please refer to: B.C. Ogazi-Onyemaechi, Ali Dehghantanha, Kim-Kwang Raymond Choo, “Performance of Android Forensics Data Recovery Tools”, Pages 91-110, Chapter 7, (Elsevier) Contemporary Digital Forensic Investigations Of Cloud And Mobile Applications Performance of Android Forensics Data Recovery Tools Bernard Chukwuemeka Ogazi-Onyemaechi1, Ali Dehghantanha1; Kim-Kwang Raymond Choo2 1School of Computing, Science and Engineering, University of Salford, Manchester, United Kingdom 2 Information Assurance Research Group, University of South Australia, Australia [email protected]; [email protected]; [email protected] Abstract- Recovering deleted or hidden data is among most important duties of forensics investigators. Extensive utilisation of smartphones as subject, objects or tools of crime made them an important part of residual forensics. This chapter investigates the effectiveness of mobile forensic data recovery tools in recovering evidences from a Samsung Galaxy S2 i9100 Android phone. We seek to determine the amount of data that could be recovered using Phone image carver, Access data FTK, Foremost, Diskdigger, and Recover My File forensic tools. The findings reflected the difference between recovery capacities of studied tools showing their suitability in their specialised contexts only. Keywords: Data recovery, digital forensics, deleted file recovery, mobile forensics, Android forensics. 1 1.0 INTRODUCTION Smart mobile devices, particularly smartphones, are increasingly popular in today’s Internet-connected society (1–4). For example, few years ago in 2010, shipments of smartphone grew by 74 percent to 295 million units (3,4). Unsurprisingly, sales of smartphones have been increasing since then (5,6), and it has been estimated that 1.5 billion smartphones will be sold by 2017 and 1 billion mobile subscribers by 2022 (7–15).
  • Macworld’S Mresell Service

    Macworld’S Mresell Service

    iTUNES TIPS: GET TO KNOW iTUNES 12 THE WORLD’S BEST-SELLING APPLE MAGAZINE MARCH 2015 MAC TRICKS 10 AMAZING THINGS YOU DIDN’T KNOW YOUR MAC COULD DO Best iPhone games MacBook Air 14 TOP FREE GAMES FOR iOS vs Mac mini Which low-cost Mac is best for you? + 2.8GHz Mac mini NEW REVIEW Sell your iPad, iPhone, MacBook or iMac with Macworld’s mResell service Did you get a new Apple device for Christmas? Macworld would like to introduce you to mResell, an Apple-trusted site that helps you sell your old Apple products. Our service will help you get a great price in a safe and secure way. But don’t just take our word for it – get an instant, no obligation quote now. Enter your Apple serial number now: mresell.macworld.co.uk mResell.indd 126 15/12/2014 16:29 Contents MARCH 2015 7 Spotlight: David Price Apple vs Samsung 20 8 News Apple’s best ever quarter 12 Best-value Mac If you’re looking for a low-cost Mac we’ll help you choose 20 10 amazing Mac tricks Bet you didn’t know your Mac did this 24 Set up a new Mac We show you how to get started 26 10 apps for a new Mac Enhance your user experience 30 15 iTunes tips & tricks Get more out of iTunes 12 33 Mac security options 12 Four essential security tools 34 Ask the iTunes Guy We demystify artwork and wishlists 36 Apple Watch revolution Taptics, haptics and the body fantastic 38 10 fascinating Apple facts Test your Apple knowledge 39 Lessons for Apple Seven lessons Apple could learn from Microsoft 40 Group test: Smart heating 41 Tado Smart Thermostat 44 Hive Active Heating 46 Nest Learning Thermostat 54 48 Heat Genius 54 Group test: Cameras 55 Canon EOS 7D Mark II 55 Fujifilm X-T1 56 Kodak PixPro S-1 56 Nikon D810 57 Olympus OM-D E-M10 57 Panasonic Lumix DMC-GH4 40 58 Samsung NX1 58 Sony A7 Mark II MARCH 2015 MACWORLD 3 003_004 Contents MAR15.indd 3 03/02/2015 16:15 Contents 60 contact..
  • Taxonomy of Digital Forensics: Investigation Tools and Challenges

    Taxonomy of Digital Forensics: Investigation Tools and Challenges

    Taxonomy of Digital Forensics: Investigation Tools and Challenges Nikita Rana1, Gunjan Sansanwal1, Kiran Khatter1,2 and Sukhdev Singh1,2 1Department of Computer Science and Engineering Manav Rachna International University, Faridabad-121004, India 2Accendere Knowledge Management Services Pvt. Ltd., India Abstract In today’s world of computers, any kind of information can be made available within few clicks for different endeavours. The information may be tampered by changing the statistical properties and can be further used for criminal activities. These days, Cybercrimes are happening at a very large scale, and possess big threats to the security of an individual, firm, industry and even to developed countries. To combat such crimes, law enforcement agencies and investment institutions are incorporating supportive examination policies, procedures and protocols to address the complete investigation process. The paper entails a detailed review of several cybercrimes followed by various digital forensics processes involved in the cybercrime investigation. Further various digital forensics tools with detail explanation are discussed with their advantages, disadvantages, challenges, and drawbacks. A comparison among all the selected tools is also presented. Finally the paper recommends the need of training programs for the first responder and judgement of signature based image authentication. 1. INTRODUCTION Computer is a masterpiece made by the human race that has made our lives smooth and effortless. Computers have become the very bedrock of today’s technological environment and we use them in almost every aspect of our customary life. They are everywhere from shopping, banking to school and hospitals, even our own homes. Businesses depend on these devices and the Internet to do their daily transactions, marketing and communications across the globe and given to our desideratum to have the best of everything it has seen noteworthy diversifications.
  • A Comparison of Computer Forensic Tools: an Open-Source Evaluation

    A Comparison of Computer Forensic Tools: an Open-Source Evaluation

    A Comparison of Computer Forensic Tools: An Open-Source Evaluation Adam Cervellone, B.S., Graduate Student, Marshall University Forensic Science Center, 1401 Forensic Science Drive, Huntington, WV 25701 901725850 Agency Supervisor-Robert Price Jr., M.S., Forensic Scientist I, North Carolina State Crime Laboratory, 121 E. Tryon Road, Raleigh NC 27601 Technical Assistant- Joshua Brunty, M.S., Marshall University Forensic Science Center, 1401 Forensic Science Drive, Huntington, WV, 25701 MU Topic Advisor-Terry Fenger, Ph.D., Marshall University Forensic Science Center, 1401 Forensic Science Drive, Huntington, WV, 25701 Cervellone 1 of 30 Abstract The world of digital forensics is an ever-evolving field with multiple tools for analysis from which to choose. Many of these tools have very focused functions such as Mac and iOS device analysis, registry examination, steganography analysis, mobile device examination, password recovery and countless others. Other tools are full featured suites capable of analyzing a large case containing multiple items. The major problem with many of these tools is cost. While they may be robust, they may not be affordable for a smaller lab that wants to do digital forensics. This research focuses on industry standard forensic software such as: Guidance Software® EnCase® Forensic 6, AccessData® FTK® (Forensic Toolkit) 5, as well as SANS SIFT Workstation 3.0. The SIFT Workstation is a freely available open-source processing environment that contains multiple tools with similar functionality to EnCase® and FTK®. This study evaluates the processing and analysis capabilities of each tool. In addition to processing functionality, a simple cost analysis study was done. The latter portion of the research displayed how much a lab may have to spend to get a single examiner fully on-line with each tool.
  • Computer Forensics

    Computer Forensics

    Lukas Limacher Department of Computer Science, ETH Zurich¨ Computer Forensics September 25, 2014 Contents 9 Computer Forensics ............................................ 1 9.1 Objectives...................................... ........... 1 9.2 Introduction.................................... ........... 2 9.2.1 IncidentResponse .............................. ..... 2 9.2.2 ComputerForensics............................. ..... 5 9.3 ThenewVirtualMachine:Charlie.................... ......... 7 9.4 Collection...................................... ........... 8 9.4.1 LiveDataCollection ............................ ..... 8 9.4.2 ForensicDuplication ........................... ...... 8 9.5 FileSystemAnalysis .............................. ......... 11 9.5.1 FileSystemAbstractionModel.................... ..... 11 9.5.2 LinuxFileSystem:Ext3 .......................... .... 12 9.5.3 Carving ....................................... ..... 19 9.5.4 FileSlack..................................... ...... 22 9.6 Application/OS Analysis,File Analysis ............. .......... 23 9.6.1 LinuxArtifacts ................................ ...... 23 9.6.2 FileAnalysis.................................. ...... 27 9.7 Internet-relatedArtifacts....................... .............. 30 9.7.1 InternetArtifacts............................. ........ 30 9.7.2 FirefoxBrowserArtifacts ....................... ...... 30 9.8 CounterForensics ................................ .......... 35 9.8.1 TraditionalCounterForensics................... ....... 35 9.8.2 DataHidingApproaches
  • Recovering Deleted Files from NTFS

    Recovering Deleted Files from NTFS

    International Journal of Science and Research (IJSR) ISSN (Online): 2319-7064 Index Copernicus Value (2013): 6.14 | Impact Factor (2015): 6.391 Recovering Deleted Files from NTFS Rincy Roy Oommen1, Princy Sugathan2 1, 2Cochin University of Science and Technology, College of Engineering Kallooppara, Kerala, India Abstract: Recovering lost and deleted information is one of the main part in Digital Forensics. Data recovery is a process which finds and recovers data, in which there may be some risks happens, for no all situations can be defined or arranged previously. Data recovery also retrieves lost, deleted, unusable or inaccessible data that lost for various reasons. In computer forensics, the main source of evidence is the data which is stored in the file. The file system is used to manage all files present on the disk. A suspect can remove evidence by deleting evidence containing files. So, it is important for forensic investigator to get back the deleted evidences. This paper described the structure of the NTFS file system and proposed a method to recover deleted files from the system by analysing the MFT entry and also detects the directory from which the file was deleted. Keywords: Forensics, Data Recovery, File System, NTFS, MFT Entry 1. Introduction the NTFS volume is a file and everything in a file is designed as an attribute, from the data attribute to the file name A file system is used as the methods and data structures that attribute through the security attribute. The following figure an operating system uses to keep track of files on a disk or illustrates the NTFS volume layout when formatting has partition.
  • Forensic Tool Comparison

    Forensic Tool Comparison

    Tool Comparison Team Lead: Megh Shah Researched by: David Paradise 175 Lakeside Ave, Room 300A Phone: 802/865-5744 Fax: 802/865-6446 http://www.lcdi.champlin.edu Published Date Disclaimer: Patrick Leahy Center for Digital Investigation (LCDI) This document contains information based on research that has been gathered by employee(s) of The Senator Patrick Leahy Center for Digital Investigation (LCDI). The data contained in this project is submitted voluntarily and is unaudited. Every effort has been made by LCDI to assure the accuracy and reliability of the data contained in this report. However, LCDI nor any of our employees make no representation, warranty or guarantee in connection with this report and hereby expressly disclaims any liability or responsibility for loss or damage resulting from use of this data. Information in this report can be downloaded and redistributed by any person or persons. Any redistribution must maintain the LCDI logo and any references from this report must be properly annotated. Contents Introduction ............................................................................................................................................................................. 2 Background: ........................................................................................................................................................................ 2 Purpose and Scope: ............................................................................................................................................................
  • Intel® Optane™ Client Solid State Drive Evaluation Guide

    Intel® Optane™ Client Solid State Drive Evaluation Guide

    Intel® Optane™ Solid State Drives for Client Evaluation Guide January 2018 Order Number: 336631-002US Intel® Optane™ Solid State Drive Products Ordering Information Contact your local Intel sales representative for ordering information. Revision History Revision Number Description Revision Date 001 Initial release October 2017 002 Generalized document from 900P-specific, minor updates, added Appendix D January 2018 Tests document performance of components on a particular test, in specific systems. Differences in hardware, software, or configuration will affect actual performance. Consult other sources of information to evaluate performance as you consider your purchase. Results have been estimated based on internal Intel analysis and are provided for informational purposes only. Any difference in system hardware or software design or configuration may affect actual performance. All documented performance test results are obtained in compliance with JESD218 Standards; refer to individual sub-sections within this document for specific methodologies. See www.jedec.org for detailed definitions of JESD218 Standards. Intel does not control or audit the design or implementation of third party benchmark data or Web sites referenced in this document. Intel encourages all of its customers to visit the referenced Web sites or others where similar performance benchmark data are reported and confirm whether the referenced benchmark data are accurate and reflect performance of systems available for purchase. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published specifications. Current characterized errata are available on request. Contact your local Intel sales office or your distributor to obtain the latest specifications and before placing your product order.
  • The Analysis of File Carving Process Using Photorec and Foremost

    The Analysis of File Carving Process Using Photorec and Foremost

    The Analysis of File Carving Process Using Photorec and Foremost Nurhayati, Nurul Fikri Department of Informatics Engineering, Faculty of Science and Technology Syarif Hidayatullah State Islamic University Jakarta Jl.Ir.H.Juanda No.95 Ciputat 15412 Jakarta-Indonesia [email protected], [email protected] Abstract— Rapid development of computer is followed by multiplatform, making it is easy to run and does not require development of digital storage device. One common problem of configuration. PhotoRec possesses carving by examining digital storage device is data loss. The problem of data loss could every existing blocks on the storage media. Meanwhile, be solved by using file carving techniques, for example. File Foremost based on Linux, can only be used on Linux and carving techniques could be performed using carving tools, such requires a configuration in the process of carving. Foremost do as PhotoRec and Foremost. This research was conducted to know the carving process by finding a header and footer files. and to compare performance of carving process from PhotoRec PhotoRec and Foremost will be used in research to restore and Foremost based on three parameters, which are the number files with various types: jpg, png, bmp, and tif, and of return files, file validation, and the rate of process. The multimedia files such as audio and video such as wav, mp3, research used simulation methods. The process of file validation wma, mp4, mkv, avi and flv. uses hash algorithm SHA1 to make sure the similarity between original and return files. The result of this research shown with Based on the explanation above, research titled "Analysis table that PhotoRec has a higher performance than Foremost.