DOCSLIB.ORG

The Analysis of File Carving Process Using Photorec and Foremost

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Analysis of File Carving Process Using Photorec and Foremost The Analysis of File Carving Process Using Photorec and Foremost Nurhayati, Nurul Fikri Department of Informatics Engineering, Faculty of Science and Technology Syarif Hidayatullah State Islamic University Jakarta Jl.Ir.H.Juanda No.95 Ciputat 15412 Jakarta-Indonesia [email protected], [email protected] Abstract— Rapid development of computer is followed by multiplatform, making it is easy to run and does not require development of digital storage device. One common problem of configuration. PhotoRec possesses carving by examining digital storage device is data loss. The problem of data loss could every existing blocks on the storage media. Meanwhile, be solved by using file carving techniques, for example. File Foremost based on Linux, can only be used on Linux and carving techniques could be performed using carving tools, such requires a configuration in the process of carving. Foremost do as PhotoRec and Foremost. This research was conducted to know the carving process by finding a header and footer files. and to compare performance of carving process from PhotoRec PhotoRec and Foremost will be used in research to restore and Foremost based on three parameters, which are the number files with various types: jpg, png, bmp, and tif, and of return files, file validation, and the rate of process. The multimedia files such as audio and video such as wav, mp3, research used simulation methods. The process of file validation wma, mp4, mkv, avi and flv. uses hash algorithm SHA1 to make sure the similarity between original and return files. The result of this research shown with Based on the explanation above, research titled "Analysis table that PhotoRec has a higher performance than Foremost. of File Carving Process Using PhotoRec and Foremost" has PhotoRec have return files less than Foremost, but PhotoRec has been done and expected to be a reference for further a higher percentage of valid files than Foremost. Additionally, development of carving tools. In addition, this research is also the rate of carving file process done by PhotoRec is higher than expected to be a reference to choose a carving tool and to give Foremost. Finally, the research reaches the conclusion that knowledge to people about the technique of returning data PhotoRec is better than Foremost. loss. Keywords— File carving, PhotoRec, Foremost, SHA1, Hash Algorithm, disk image II. RELATED WORK Data loss [7] can occur due to various causes, among I. INTRODUCTION which is a virus, human error, hardware malfunction or a Technological development is followed by the system error. Data loss can occur in a variety of files, like development of digital storage media. Digital storage media documents, photos, and email. Based on a survey by statistic cannot be spared from a problem such as data loss [7]. The (2015), digital data that is missing mostly are data in the form data loss occurs due to many factors, which are the virus, of videos and photos [9, 16]. hardware malfunction, software malfunctions and corrupt. To Data loss can be overcome by using one of the methods in overcome this, a method to restore data which is called file computer forensics which is called file carving [8,13]. Carving carving used [3, 14]. file is an important aspect of computer forensics and has a There are various carving tools which have their respective major impact on computer forensics because it adds the advantages, among which are PhotoRec, Foremost, Scalpel, flexibility to retrieve stored information from the underlying EnCase, FTK, and Adroit Photo Forensics [4]. Regardless of file system [12]. There are several carving tools that can be the level of sophistication, the performance of each carving used for computer forensics. The simplest carving tool works tools are different. This was caused by differences in methods by finding the header and footer. A more sophisticated carving and configurations used by the carving tools itself. There are tool performs validation before the file is stored into disk, three parameters that are commonly used by forensic called validating file carvers. Meanwhile, the most advanced practitioners in assessing the performance of a carving tool: carving tool can collect back fragmented files called the percentage of the return file, correctness and reliability of fragmented file recovery [5]. the results provided by the tool, as well as the speed in the Byeongyeong do research return of multimedia files that carving process [1, 10]. are in a compressed state but only 3 types of multimedia files This research used PhotoRec and Foremost as carving tool used are AVI, WAV, and MP3 [17]. Meanwhile, Al Jumah in the process of file carving. PhotoRec has been selected for watched the results of carving coming from disk image and an application that can be run in different OS or called disk drive. The study was conducted to determine whether there are differences in carving results between disk image and disk drive [6, 15, 2]. Imagin Carvin The method of carving file can restore data loss. However, g g reference [10, 14] stated that new problems arise with no Proces Proces many carving tools available, such as not knowing the s s capabilities and limits on the carving tools so it is not effective (Fore to restore the data. Based on the explanation above, this study performed most) analysis file carving using PhotoRec and Foremost. The study aims to determine the performance of the process of carving. The criteria to be used in the form of speed file analysis carving carving process, the number of returned files and validation of returned files. III. PROPOSED SOLUTION This study uses a simulation, the simulation method consists of several stages as follows: Fig 2. Process of carving through the disk drive A. Conceptual Model There are two concepts in this research: the process of The components in each architecture is as follows: carving through the disk drives directly and the process of 1. Storage Device carving through the disk image [11]. Storage device or storage medium is used as input. The author uses a storage medium a Toshiba 16GB flash drive in this study. The flash provides a wide range of image files and multimedia, such as video and audio. This study is conditioning the flash in a state of formatted files contained has not been affected or overwritten by other files, so returning data using carving technique could be performed. 2. Imaging Imaging is used to create clones of the storage media in the form of an image. Making the image will be performed using dc3dd. The formation of this imaging will generate a file ends in .img, .dd, or.raw. The author uses imaging to the process of carving using PhotoRec and Foremost. 3. Carving Tools Carving tool is a tool used to restore data. This study used two carving tool, PhotoRec and Foremost. Each carving tools have different configurations. Using one same tool, can also be obtained different results because of the differences in the Fig 1. The proces of carving through the disk image configuration used. Therefore, the present study analyzes the performance of the process of carving using several parameters, namely speed carving process, the number of files that are returned and the validity of the return files. 4. Output/ Carving Result Once the carving process has finished, there would be found a folder containing the files from the original ones. The folder has been initially inaccessible and afterwards it is obtainable. They caused the folder to change the order. Finally, the folder can be read, written and executed. 5. Validation Finally, the results of carving, validation is performed to check is the file correct. It means the file is same from original. The checking is done by comparing the original file with the accordance with the provisions of the conceptual model, the previous file. The author uses a simple shell script SHA1 hash output of input data and modelling. function algorithm for comparing a hash value of the original file with the return file. Based on the validation results F. Experimentation obtained, can be determined whether the file is correct or not by comparing a hash value between the previous file with the After PhotoRec and Foremost installed on Ubuntu, then file carving. the process will be conducted in accordance with the file returns simulation concepts and models that have been described previously. After the carving process is completed B. Input / Output Data and then will do the validation process using the shell script Based on the results obtained at the time of formulating the file that was created. Validation is done by comparing the hash problem, it can be found that one of the most frequently value of the original file with the file back. missing files are photos and video. Therefore, the present study determines some photos and video files that have a G. Output Analysis format is different, such as the three pieces of the file type bmp, jpg, mkv, mp3, png, tif, avi, flv, mp4, wav, wma. Analysis of the results obtained after completion of Overall, the total number of files to be restored is 33 files. running all the scenarios that will be discussed in the next chapter. C. Modelling Making the scenarios that will be used for the simulation process. In this study, there are eight scenarios, each of the IV. ANALYSIS AND SIMULATION RESULT four scenarios process of carving through the disk image and the fourth scenario carving process through direct disk drive. A. Simulation 1 Each scenario will be put through the process of carving using Experiments conducted in each scenario aims to get the PhotoRec and Foremost and will be conducted in three average value of each scenario designed.
Load more

Recommended publications
  • Imagemounter Documentation Release 1.5.1
    imagemounter Documentation Release 1.5.1 Ralph Broenink, Peter Wagenaar December 11, 2016 Contents 1 Contents 3 1.1 Installation................................................3 1.2 Command-line usage...........................................4 1.3 Python interface.............................................7 1.4 File and volume system specifics.................................... 18 1.5 Release notes............................................... 22 Python Module Index 31 i ii imagemounter Documentation, Release 1.5.1 imagemounter is a command-line utility and Python package to ease the mounting and unmounting of EnCase, Affuse, vmdk and dd disk images (and other formats supported by supported tools). It supports mounting disk images using xmount (with optional RW cache), affuse, ewfmount and vmware-mount; detecting DOS, BSD, Sun, Mac and GPT volume systems; mounting FAT, Ext, XFS UFS, HFS+, LUKS and NTFS volumes, in addition to some less known filesystems; detecting (nested) LVM volume systems and mounting its subvolumes; and reconstructing Linux Software RAID arrays. In its default mode, imagemounter will try to start mounting the base image on a temporary mount point, detect the volume system and then mount each volume seperately. If it fails finding a volume system, it will try to mount the entire image as a whole if it succeeds in detecting what it actually is. Note: Not all combinations of file and volume systems have been tested. If you encounter an issue, please try to change some of your arguments first, before creating a new GitHub
    [Show full text]
  • Forensic Toolkit (FTK)
    Forensic Toolkit (FTK) User Guide | 1 AccessData Legal and Contact Information Document date: January 31, 2018 Legal Information ©2018 AccessData Group, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the publisher. AccessData Group, Inc. makes no representations or warranties with respect to the contents or use of this documentation, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, Inc. reserves the right to revise this publication and to make changes to its content, at any time, without obligation to notify any person or entity of such revisions or changes. Further, AccessData Group, Inc. makes no representations or warranties with respect to any software, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, AccessData Group, Inc. reserves the right to make changes to any and all parts of AccessData software, at any time, without any obligation to notify any person or entity of such changes. You may not export or re-export this product in violation of any applicable laws or regulations including, without limitation, U.S. export regulations or the laws of the country in which you reside. AccessData Group, Inc. 588 West 400 South Suite 350 Lindon, UT 84042 USA AccessData Trademarks and Copyright Information The following are either registered trademarks or trademarks of AccessData Group, Inc. All other trademarks are the property of their respective owners. AccessData® AD Summation® Mobile Phone Examiner Plus® AccessData Certified Examiner® (ACE®) Discovery Cracker® MPE+ Velocitor™ AD AccessData™ Distributed Network Attack® Password Recovery Toolkit® AD eDiscovery® DNA® PRTK® AD RTK™ Forensic Toolkit® (FTK®) Registry Viewer® LawDrop® Summation® | 2 A trademark symbol (®, ™, etc.) denotes an AccessData Group, Inc.
    [Show full text]
  • Improving the Efficiency of Big Forensic Data Analysis Using Nosql
    Improving the Efficiency of Big Forensic Data Analysis Using NoSQL Md Baitul Al Sadi Hayden Wimmer Lei Chen Kai Wang Department of Information Department of Information Department of Information Department of Computer Technology Technology Technology Science Georgia Southern University Georgia Southern University Georgia Southern University Georgia Southern University Statesboro, GA 30458, USA Statesboro, GA 30458, USA Statesboro, GA 30458, USA Statesboro, GA 30458, USA [email protected] [email protected] [email protected] [email protected] them in NoSQL (Not Only SQL) database. There is a variety of ABSTRACT tools available including Autopsy, EnCase, Foremost, FTK, The rapid growth of Internet of Things (IoT) makes the task for Registry Recon, PTK Forensics, The Sleuth Kit, The Coroner's digital forensic more difficult. At the same time, the data analyzing Toolkit, COFEE etc. to extract data from IoT devices. The technology is also developing in a feasible pace. Where traditional extracted data will be in an unstructured format, hence NoSQL is Structured Query Language (SQL) is not adequate to analyze the the best solution to analyze them. Here the document-oriented data in an unstructured and semi-structured format, Not only database program, MongoDB has been chosen to analyze the data Standard Query Language (NoSQL) unfastens the access to from Internet of Things (IoT). To our best knowledge this is pioneer analyzing the data of all format. The large volume of data of IoTs work in terms of using NoSQL and MongoDB for DF. turns into Big Data which just do not enhance the probability of attaining of evidence of an incident but make the investigation 2 BACKGROUND process more complex.
    [Show full text]
  • Performance of Android Forensics Data Recovery Tools
    This is author accepted copy; for final version please refer to: B.C. Ogazi-Onyemaechi, Ali Dehghantanha, Kim-Kwang Raymond Choo, “Performance of Android Forensics Data Recovery Tools”, Pages 91-110, Chapter 7, (Elsevier) Contemporary Digital Forensic Investigations Of Cloud And Mobile Applications Performance of Android Forensics Data Recovery Tools Bernard Chukwuemeka Ogazi-Onyemaechi1, Ali Dehghantanha1; Kim-Kwang Raymond Choo2 1School of Computing, Science and Engineering, University of Salford, Manchester, United Kingdom 2 Information Assurance Research Group, University of South Australia, Australia [email protected]; [email protected]; [email protected] Abstract- Recovering deleted or hidden data is among most important duties of forensics investigators. Extensive utilisation of smartphones as subject, objects or tools of crime made them an important part of residual forensics. This chapter investigates the effectiveness of mobile forensic data recovery tools in recovering evidences from a Samsung Galaxy S2 i9100 Android phone. We seek to determine the amount of data that could be recovered using Phone image carver, Access data FTK, Foremost, Diskdigger, and Recover My File forensic tools. The findings reflected the difference between recovery capacities of studied tools showing their suitability in their specialised contexts only. Keywords: Data recovery, digital forensics, deleted file recovery, mobile forensics, Android forensics. 1 1.0 INTRODUCTION Smart mobile devices, particularly smartphones, are increasingly popular in today’s Internet-connected society (1–4). For example, few years ago in 2010, shipments of smartphone grew by 74 percent to 295 million units (3,4). Unsurprisingly, sales of smartphones have been increasing since then (5,6), and it has been estimated that 1.5 billion smartphones will be sold by 2017 and 1 billion mobile subscribers by 2022 (7–15).
    [Show full text]
  • Creating Highly Specialized Fragmented File System Data Sets
    CREATING HIGHLY SPECIALIZED FRAGMENTED FILE SYSTEM DATA SETS FOR FORENSIC RESEARCH A Thesis Presented in Partial Fulfillment of the Requirements for the Degree of Master of Science with a Major in Computer Science in the College of Graduate Studies at University of Idaho by Douglas Drobny May 2014 Major Professor: Jim Alves-Foss, Ph.D. ii AUTHORIZATION TO SUBMIT THESIS This thesis of Douglas Drobny, submitted for the degree of Master of Science with a Major in Computer Science and titled \Creating Highly Specialized Fragmented File System Data Sets for Forensic Research", has been reviewed in final form. Permission, as indicated by the signatures and dates given below, is now granted to submit final copies to the College of Graduate Studies for approval. Major Professor Date Dr. Jim Alves-Foss Committee members Date Dr. Paul Oman Date Dr. Marty Ytreberg Computer Science Department Administrator Date Dr. Gregory Donohoe Discipline's College Dean, College of Engineering Date Dr. Larry Stauffer Final Approval and Acceptance by the College of Graduate Studies Date Dr. Jie Chen iii ABSTRACT File forensic tools examine the contents of a system's disk storage to analyze files, detect infections, examine account usages and extract information that the system's operating system cannot or does not provide. In cases where the file system is not available, or information is believed to be outside of the file system, a file carver can be used to extract files. File carving is the process of extracting information from an entire disk without metadata. This thesis looks at the effects of file fragmentation on forensic file carvers.
    [Show full text]
  • Testdisk Step by Step
    TestDisk Step By Step Jump to: navigation, search More Sharing Services Share Share on facebookShare on twitter Share on linkedinShare on tumblrShare on stumbleuponShare on redditShare on email This recovery example guides you through TestDisk step by step to recover a missing partition and repair a corrupted one. After reading this tutorial, you should be ready to recover your own data. Translations of this TestDisk manual to other languages are welcome. Contents 1 Example problem 2 Symptoms 3 Running TestDisk executable 4 Log creation 5 Disk selection 6 Partition table type selection 7 Current partition table status 8 Quick Search for partitions 9 Save the partition table or search for more partitions? 10 A partition is still missing: Deeper Search 11 Partition table recovery 12 NTFS Boot sector recovery 13 Recover deleted files Example problem We have a 36GB hard disk containing 3 partitions. Unfortunately; the boot sector of the primary NTFS partition has been damaged, and a logical NTFS partition has been accidentally deleted. This recovery example guides you through TestDisk, step by step, to recover these 'lost' partitions by: rewriting the corrupted NTFS boot sector, and recovering the accidentally deleted logical NTFS partition. Recovery of a FAT32 partition (instead of an NTFS partition) can be accomplished by following exactly the same steps. Other recovery examples are also available. For Information about FAT12, FAT16, ext2/ext3, HFS+, ReiserFS and other partition types, read Running the TestDisk Program. One condition: TestDisk must be executed with Administrator privileges. Important points for using TestDisk: To navigate in TestDisk, use the Arrow and PageUp/PageDown keys.
    [Show full text]
  • Taxonomy of Digital Forensics: Investigation Tools and Challenges
    Taxonomy of Digital Forensics: Investigation Tools and Challenges Nikita Rana1, Gunjan Sansanwal1, Kiran Khatter1,2 and Sukhdev Singh1,2 1Department of Computer Science and Engineering Manav Rachna International University, Faridabad-121004, India 2Accendere Knowledge Management Services Pvt. Ltd., India Abstract In today’s world of computers, any kind of information can be made available within few clicks for different endeavours. The information may be tampered by changing the statistical properties and can be further used for criminal activities. These days, Cybercrimes are happening at a very large scale, and possess big threats to the security of an individual, firm, industry and even to developed countries. To combat such crimes, law enforcement agencies and investment institutions are incorporating supportive examination policies, procedures and protocols to address the complete investigation process. The paper entails a detailed review of several cybercrimes followed by various digital forensics processes involved in the cybercrime investigation. Further various digital forensics tools with detail explanation are discussed with their advantages, disadvantages, challenges, and drawbacks. A comparison among all the selected tools is also presented. Finally the paper recommends the need of training programs for the first responder and judgement of signature based image authentication. 1. INTRODUCTION Computer is a masterpiece made by the human race that has made our lives smooth and effortless. Computers have become the very bedrock of today’s technological environment and we use them in almost every aspect of our customary life. They are everywhere from shopping, banking to school and hospitals, even our own homes. Businesses depend on these devices and the Internet to do their daily transactions, marketing and communications across the globe and given to our desideratum to have the best of everything it has seen noteworthy diversifications.
    [Show full text]
  • A Comparison of Computer Forensic Tools: an Open-Source Evaluation
    A Comparison of Computer Forensic Tools: An Open-Source Evaluation Adam Cervellone, B.S., Graduate Student, Marshall University Forensic Science Center, 1401 Forensic Science Drive, Huntington, WV 25701 901725850 Agency Supervisor-Robert Price Jr., M.S., Forensic Scientist I, North Carolina State Crime Laboratory, 121 E. Tryon Road, Raleigh NC 27601 Technical Assistant- Joshua Brunty, M.S., Marshall University Forensic Science Center, 1401 Forensic Science Drive, Huntington, WV, 25701 MU Topic Advisor-Terry Fenger, Ph.D., Marshall University Forensic Science Center, 1401 Forensic Science Drive, Huntington, WV, 25701 Cervellone 1 of 30 Abstract The world of digital forensics is an ever-evolving field with multiple tools for analysis from which to choose. Many of these tools have very focused functions such as Mac and iOS device analysis, registry examination, steganography analysis, mobile device examination, password recovery and countless others. Other tools are full featured suites capable of analyzing a large case containing multiple items. The major problem with many of these tools is cost. While they may be robust, they may not be affordable for a smaller lab that wants to do digital forensics. This research focuses on industry standard forensic software such as: Guidance Software® EnCase® Forensic 6, AccessData® FTK® (Forensic Toolkit) 5, as well as SANS SIFT Workstation 3.0. The SIFT Workstation is a freely available open-source processing environment that contains multiple tools with similar functionality to EnCase® and FTK®. This study evaluates the processing and analysis capabilities of each tool. In addition to processing functionality, a simple cost analysis study was done. The latter portion of the research displayed how much a lab may have to spend to get a single examiner fully on-line with each tool.
    [Show full text]
  • GNU MANUALINUX 6.8 This (Manual) Is Free and Is Realized Also with Collaboration of Others Passionated (THANKS !!!)
    Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation. A copy of the license is included in the section entitled "GNU Free Documentation License". Copyright (c) 2001-2008 Cristiano Macaluso (aka Panther) E' garantito il permesso di copiare, distribuire e/o modificare questo documento seguendo i termini della Licenza per Documentazione Libera GNU, Versione 1.2 o ogni versione successiva pubblicata dalla Free Software Foundation. Una copia della licenza è acclusa in fondo al documento nella sezione intitolata "GNU Free Documentation License". GNU MANUALINUX 6.8 This (Manual) is free and is realized also with collaboration of others passionated (THANKS !!!). Last update on October 6 2008 version: 6.8 Manualinux Homepage: http://www.manualinux.com http://www.manualinux.it http://www.manualinux.eu http://www.manualinux.in http://www.manualinux.cn http://www.manualinux.org http://www.manualinux.net http://www.manualinux.tk DO YOU WANT TO MODIFY OR INSERT OTHER ARTICLES ? WRITE ME ! EMAIL: [email protected] (Cristiano Macaluso). NEWS OF THE VERSION 6.8 Modified 38b)INSTALL SLAX ON HARD-DISK AND ON USB STICK Modified 3c)CREATE AND BURN CD AND DVD MENU' Page a)COMMANDS 2 b)UTILITY 2 c)PROGRAMS 3 d)KERNEL 4 e)NETWORKING 4 f)OTHER 5 GNU Free Documentation License 151 DO YOU WANT ADD / MODIFY OTHER ARGUMENTS ??? WRITE ME !!! 1 COMMANDS Page 1a)COMMON COMMANDS TO MOVE FIRST STEPS ON LINUX 5 2a)DIFFERENT COMMANDS
    [Show full text]
  • Computer Forensics
    Lukas Limacher Department of Computer Science, ETH Zurich¨ Computer Forensics September 25, 2014 Contents 9 Computer Forensics ............................................ 1 9.1 Objectives...................................... ........... 1 9.2 Introduction.................................... ........... 2 9.2.1 IncidentResponse .............................. ..... 2 9.2.2 ComputerForensics............................. ..... 5 9.3 ThenewVirtualMachine:Charlie.................... ......... 7 9.4 Collection...................................... ........... 8 9.4.1 LiveDataCollection ............................ ..... 8 9.4.2 ForensicDuplication ........................... ...... 8 9.5 FileSystemAnalysis .............................. ......... 11 9.5.1 FileSystemAbstractionModel.................... ..... 11 9.5.2 LinuxFileSystem:Ext3 .......................... .... 12 9.5.3 Carving ....................................... ..... 19 9.5.4 FileSlack..................................... ...... 22 9.6 Application/OS Analysis,File Analysis ............. .......... 23 9.6.1 LinuxArtifacts ................................ ...... 23 9.6.2 FileAnalysis.................................. ...... 27 9.7 Internet-relatedArtifacts....................... .............. 30 9.7.1 InternetArtifacts............................. ........ 30 9.7.2 FirefoxBrowserArtifacts ....................... ...... 30 9.8 CounterForensics ................................ .......... 35 9.8.1 TraditionalCounterForensics................... ....... 35 9.8.2 DataHidingApproaches
    [Show full text]
  • Accelerating Digital Forensic Searching Through Gpgpu Parallel Processing Techniques
    ACCELERATING DIGITAL FORENSIC SEARCHING THROUGH GPGPU PARALLEL PROCESSING TECHNIQUES A thesis submitted for the degree of Doctor of Philosophy (PhD) by Ethan Bayne School of Design and Informatics, Abertay University. February 2017 Declaration Candidate’s declarations: I, Ethan Bayne, hereby certify that this thesis submitted in partial fulfilment of the requirements for the award of Doctor of Philosophy (PhD), Abertay University, is wholly my own work unless otherwise referenced or acknowledged. This work has not been submitted for any other qualification at any other academic institution. Signed ……………………………………………………………………… Date…………………………………………………………………………. Supervisor’s declaration: I, Robert Ian Ferguson, hereby certify that the candidate has fulfilled the conditions of the Resolution and Regulations appropriate for the degree of Doctor of Philosophy (PhD) in Abertay University and that the candidate is qualified to submit this thesis in application for that degree. Signed ……………………………………………………………………… Date…………………………………………………………………………. Certificate of Approval I certify that this is a true and accurate version of the thesis approved by the examiners, and that all relevant ordinance regulations have been fulfilled. Supervisor…………………………………………………………………. Date………………………………………………………………………… ii Dedication I would like to thank my supervisors – Dr Robert Ian Ferguson and Dr Adam Sampson – for the countless conversations around the different aspects of this research. Their timely encouragement and suggestions have aided in achieving successes beyond anything we expected at the beginning of this investigation. A notable mention goes to Dr Lynsay Shepherd and Dr Gavin Hales. Their friendship (and “bants”) in the department against the dark arts office has kept me sane for the duration of my PhD studies. This work is dedicated to my mum and dad for their continued love and support, without it, this research would have been impossible to accomplish.
    [Show full text]
  • Recovering Deleted Files from NTFS
    International Journal of Science and Research (IJSR) ISSN (Online): 2319-7064 Index Copernicus Value (2013): 6.14 | Impact Factor (2015): 6.391 Recovering Deleted Files from NTFS Rincy Roy Oommen1, Princy Sugathan2 1, 2Cochin University of Science and Technology, College of Engineering Kallooppara, Kerala, India Abstract: Recovering lost and deleted information is one of the main part in Digital Forensics. Data recovery is a process which finds and recovers data, in which there may be some risks happens, for no all situations can be defined or arranged previously. Data recovery also retrieves lost, deleted, unusable or inaccessible data that lost for various reasons. In computer forensics, the main source of evidence is the data which is stored in the file. The file system is used to manage all files present on the disk. A suspect can remove evidence by deleting evidence containing files. So, it is important for forensic investigator to get back the deleted evidences. This paper described the structure of the NTFS file system and proposed a method to recover deleted files from the system by analysing the MFT entry and also detects the directory from which the file was deleted. Keywords: Forensics, Data Recovery, File System, NTFS, MFT Entry 1. Introduction the NTFS volume is a file and everything in a file is designed as an attribute, from the data attribute to the file name A file system is used as the methods and data structures that attribute through the security attribute. The following figure an operating system uses to keep track of files on a disk or illustrates the NTFS volume layout when formatting has partition.
    [Show full text]