© 2018 IJRAR January 2019, Volume 06, Issue 1 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138) A COMPARATIVE STUDY OF THREE OPEN SOURCE ’S FOR FROM FLASH DRIVES 1 Mayank katiyar, 2 Saba Rashid, 3 Anu Singla 1 M.Sc. Forensic Science, 2 Research Scholar, 3 Associate Professor 1 Dr. A. P. J. Abdul Kalam Institute of Forensic Science and Criminology 1 Bundelkhand University, Jhansi, Uttar Pradesh, India

Abstract : Forensic analysis is the discipline of discovering, probing and interpreting evidence in assistance of law administration, regulatory compliance or information converge. Digital forensics is a subsidiary of forensic science which accords with the digital artifacts such as personal computers, laptops, SD card, flash drives, hard disk etc. encountered at the spectacle of transgression which may offer crucial clue or evidences regarding victim, felon, and intent of the crime or modus of operandi of the miscreant. Due to the ubiquitous practice of flash drives, these have become progressively important digital evidence. Thus the restoration of the digital traces from these digital artifacts has been remained forensically significant for digital investigation purpose by adopting practical blueprints and practices for recovering the intentionally deleted data. The open source means that perform distinct functions were hastily being developed and disseminated in the academics and as well as in the other fields of interest and most undoubtedly these unique functions were finally consolidated into larger analysis suites. These open source tools can be graphical user interface based programs or command system based programme that support an analyst to delve into and probe the data on a hard drive.

IndexTerms - Data recovery, Flash drives, Digital Forensic, Recuva. I. INTRODUCTION Digital or Computer Forensics tools show a pivotal role in producing reliable computer analysis and digital evidence collection to serve an array of legitimate and technical purposes. These devices are often employed to oversee investigations of computer crimes by finding evidence that can be handled in a court of law. In extension to the criminal inquiry, these same tools are employed for purposes of upkeep, debugging and data recovery. It is speedily growing into a substantial part of computer investigations all over the globe, operated by both law administration and independent sector investigators [1]. Data recovery is the handling of redeeming, restoring or saving data that has been hidden, corrupted, formatted, unwittingly or intentionally omitted, or made distant from secondary cache, removable media or registers, when the data saved in them cannot be ascertained in a routine condition. In the forensic context, the term ‘Data recovery’ is addressed to where data have been encrypted or concealed, relatively than impaired, is recovered. Sometimes data in the computer gets encrypted or suppressed owing to reasons like virus attack which can solely be recovered by some computer forensic experts [2]. The data is generally salvaged from storage elements such as hard disks (internal /external), USB flash drives, magnetic tapes, CD’s, DVD etc. A USB (universal serial bus) flash drive, also variously perceived as a thumb drive, flash drives, flash stick, jump drive, flash-drive, stick or USB memory, is a data storage device that includes flash memory with an integrated USB interface. It is typically removable, rewritable and enough shorter than an optical disc thus it is light weighted. Data Recovery may be enforced owing to substantial destruction to the storage devices or logical damage to the file system that precludes it from being set up by the host . The intent and aspiration of the course is to restore the intentionally deleted data saved in flash drives by modes of three open source data recovery program’s and to work out a comparative research on the reproducibility of the proceeds indicated by Recuva, Test disk and Stellar Data Recovery.

II. MATERIALS AND METHODOLOGY For the preliminary inspection, the Flash drives, of mainly two companies i.e. Sony and Sandisk were assembled randomly from allies and stores. All the samples raised were exploited by their proprietors for various functionalities like storing audio and video files, images, documents, application etc. Following exhibits were solicited for the data recovery from different flash drives with the help of open sources tools on the numbers of formatted flash drives to retrieve data, as represented in Table 2.1. After securing the samples flash drives, for that the resumption of omitted or formatted data was worked out with the ease of open source tools such as:-

 Recuva  Test Disk  Stellar Phoenix Data Recovery

Table 2.1: Details of Flash Drives Collected for Data Recovery

S. No. Brand of Flash Drive Storage Capacity

01. SONY 16GB 02. SONY 16GB 03. SONY 16GB 04. SANDISK 8GB 05. SANDISK 8GB 06. SANDISK 8GB IJRAR19J1280 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 1103

© 2018 IJRAR January 2019, Volume 06, Issue 1 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

Details of System Used:-  Window 10 professional system  Processor: Intel® Core(TM) i3-5005U CPU @ 2.00GHz  Installed memory (Ram): 4GB (usable 3.39GB)  System Type: 64 bit Operating System  Operating System name HP-SSC98JT

1 2 3

Collection of Formatting the Observations and Flashdrives Flashdrives Results

Storing files such Feature as Images, Audio, Extraction and Video and Pdf Matching Phase etc.

Chart 2.1: Procedure of Methodology

The stages in the result represent the number of times the formatting has been done. For e.g. Stage 1 show that the new Flash drive was been formatted for the first time while the stage 2 display the four times formatting whereas stage 3 shows the eight times formatting. Table 2.2 represents the total file transferred for the data recovery to the drives.

Table 2.2: Total Files Transferred to Flash Drives

Stage I Stage II Stage III

Sony 16GB Flash Disk 14.8GB 14.8GB 14.8GB Total Files 654 files 654files 654files  Images 2.75GB/594 files 2.75GB/594 files 2.75GB/594 files  Audios 11.3MB/3 files 11.3MB/3 files 11.3MB/3 files  Videos 11.27GB/3files 11.27GB/2 files 11.27GB/2 files  Pdf’s 126MB/42 files 126MB/42 files 126MB/42 files  Document files 558MB/12 files 558MB/12 files 558MB/12 files

III. RESULTS The physical extraction of the flash drives that were amassed as digital evidence was acted on various condition. The elicited data in the form of an image was been taken care of for further considerations. The recovered data of varied flash drives was been set up for the identification of best open Sources tools. In the suggested considering, the proceeds achieved are represented in Table 3.1. In Flash drive 1 (Sony 16GB), 14.8GB data was transferred into the drive. An allocation of the memory slot in the external cache is deferred for system files and data sector for better performance. By default, the flash drives are on NTFS (New Technology File System) format and some space is needed for memory allocation. This is the underlying reason behind the less accessible space than the specified capacity. After formatting the flash drive for the initial time (stage 1), it was noted that when the new pen drive was employed, the data recovered was 3.60GB (24.36%) by Recuva. Therefore, the files which were not been competent to be retrieved properly were mostly videos file. These video files were essentially large files which were more susceptible to get corrupted. Total video files were 3 out of which 2 were recovered and slashed into to a smaller file size. The disparity between total data and recovered data was of 11.19GB. Similarly, stage 2 presents four times formatted pen drive. Here the recovered data was 38.91% out of 14.8GB which was comparatively larger than the stage 1 recovered data. This is because the data was never erased as such, it was only compressed. Therefore, the increased file size was the result of those corrupted files which were then deleted. The discrepancy between total data and recovered data at stage 2 was 9.04GB. Image files were the one which was corrupted and with every recovery, they get salvaged that is why the estimate of files increases from 594 to 633. Stage 3 suggests the eight times formatting of Flash drive and

IJRAR19J1280 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 1104

© 2018 IJRAR January 2019, Volume 06, Issue 1 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138) further its recovery. The retrieved data was 64.45% which was comparatively large than the stage 1 and stage 2 data restoration. The distinction between total data and recovered data at stage 3 was 5.26GB.

Table 3.1: A Comparative Study of Data Recovered from Recuva at Various Stages of Formatting

Recuva Stages of Data Recovery I stage II stage III stage Recovered Data (Sony 16GB) 3.60GB 5.86GB 9.54GB  Images 2.70GB/594 files 2.92GB/633 files 3.02GB/818 files  Audios 11.3MB/3 files 8.29MB/2 files 7.41MB/2 files  Videos 302MB/2 files 2.3GB/16 files 5.85GB/86 files  Pdf’s 107MB/41 files 103MB/12 files 103MB/12 files  Document files 507MB/11 files 551MB/13 files 580MB/17 files Percentage of Data Recovered 24.36% 38.91% 64.45% Difference 11.19GB 9.04GB 5.26GB

The red dots at the interface panel of the Recuva software indicated that the files which were inaccessible while the green dots suggest that the files which were exemplary for the data restoration and the orange dots represent the poor files which were overwritten and may be repaired but in a restricted form. Similarly, a new Sony flash drive (16GB) was examined for data recovery by test disk software and the results are exhibited in Table 4.2. After formatting the flash drive for the first time (stage 1), the data recovered was 14.23GB (96.14%). The difference between total data and recovered data was 570MB. The stage 2 shows that the recovered data was 185.94%. The difference between total data and recovered data at stage 2 was 12.72GB. At stage 3 the recovered data was 58.04% which was comparatively less than the stage 1 and stage 2 recovered data. The difference between total data and recovered data at stage 3 was 6.21GB.

Table 4.2: A Comparative Study of Data Recovered from Test Disk at Various Stages of Formatting

Test Disk Stages of Data Recovery I stage II stage III stage Total Data 14.8 GB 14.8 GB 14.8 GB Recovered Data 14.23GB 27.52GB 8.59GB  Images 2.40GB/550 files 7.2GB/1810files 2GB/300 files  Audios 10.9MB/3 files 45.3MB/10 files 5.6MB/2 files  Videos 11GB/2files 18GB/9 files 6GB/6 files  Pdf’s 250MB/28files 800MB/35 files 135MB/20files  Document files 590MB/14 files 1.5GB/22 files 470MB/9 files Percentage of Data Recovered 96.14% 185.94% 58.04% Difference 570MB 12.72GB 6.21GB

Similarly, for data recovery by Stellar Phoenix software a new Sony flash drive (16GB) was experimented and the results are displayed in Table 4.3. At stage 1, recovered data was 14.72GB (99.45%). The difference between total data and recovered data was 800MB. The stage 2 shows that the recovered data was 227%. The difference between total data and recovered data at this was 18.9GB. At stage 3, the recovered data was 155.4% which was comparatively fewer than the stage 1 recovered data. The difference between total data and recovered data at stage 3 was 6.2GB.

Table 4.3: A Comparative Study of Data Recovered from Stellar Phoenix at Various Stages of Formatting

Stellar Phoenix Stages of Data Recovery I stage II stage III stage Total data 14.8 GB 14.8 GB 14.8 GB Recovered data 14.72GB 33.70GB 23.00GB  Images 2.70GB/594 files 10.8GB/1450files 7.70GB/640files  Audios 11.3MB/3 files 45.2MB/8 files 36.8MB/6 files  Videos 11.27GB/10 files 20.08GB/21 files 14GB/15 files  Pdf’s 250MB/30 files 820MB/ 43 files 550MB/37 files  Document files 507MB/11 files 1.98GB/20 files 750MB/13 files Percentage of Data Recovered 99.45% 227% 155.4% Difference 800MB 18.9GB 8.2GB

Likewise, the proceeds for Sandisk (8GB) flash drive was treated and followed to ascertain the significance of considerations like manufacturing company of flash drive or its storage capacity influences the performance of the recovery by the software utilized. IJRAR19J1280 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 1105

© 2018 IJRAR January 2019, Volume 06, Issue 1 www.ijrar.org (E-ISSN 2348-1269, P- ISSN 2349-5138)

IV. DISCUSSION Data saved in the files is the leading source of manifest in computer forensics. As the size of storage devices increases, the time also increases in interpreting them. Finding shreds of evidence in deleted files and repairing them is crucial for investigation. The work by Mahant, S. H. and Meshram, B. B. (2012), specifies that the internal details on the NTFS file system and how it dealt with the deleted files, which worked to justify the proceeds of recovery tools and they further suggested an approach which facilitates in a quicker recovery of deleted files [3]. Al-Hajri, H. and Williams, P. (2007) in their study tested eight freeware tools, procured from the internet, to restore deleted photos in a viewable form. The results revealed that the faster tools did not restore the pictures in a viewable format. However, the faster tools retrieved evidence of images that had been stored on the SD card and the subsequent forensic study of these files was stipulated. These devices would be convenient as an initial rapid evaluation of the removable media which would thus demand further investigation using other tools to restore the viewable images from the memory device. Out of eight tools, three of them have successfully retrieved images in a viewable format. The tools have retrieved photos that cannot be explored on the Windows platform; however, they may be viewable on diverse operating systems or photos viewed programs [4]. Bansal, A. et al. (2016) suggested that the farthest and the simplest tool for the data recovery was “Data Rescue PC3”. The means adopted in their course put attempts to retrieve the file when the disk was substantially or logically flawed i.e. overwritten, by the competent culprits [5]. Chandsarkar, A. and Patil, S. studied that the data recovery from both physical and physical problems in storage devices calls for prudent treatment of these before concluding recovery methods for every issue. Retrieving data in relevant problems could achieve by employing software such as freeware or shareware only [6].

V. CONCLUSION In the suggested study, the data recovered from the drives by employing varied open source software showed that after initial formatting the files which were not been competent to be retrieved properly were mostly videos. These video files were essentially large files which were more susceptible to get corrupted. Formatting showed that the recovered data was comparatively larger than the recovered data. This is because the data was never erased as such, it was only compressed. Encrypted flash drives secure the data stored on the volume by curtailing the file size. Any USB flash drive formatted with FAT, FAT 32 or NTFS can be enciphered. The overwritten files which were restored may look same i.e. the number of files but the file size was bizarre. The results for data recovery for Sandisk (8GB) flash drive showed that manufacturing company of flash drive or its storage capacity do not influences the performance of the recovery by the software utilized.

VI. ACKNOWLEDGMENT I would like to acknowledge all the friends and family of the authors for their consideration and support.

REFERENCES [1] Yajid, N. B. T. M. 2017. An Aries Algorithm for Optimal Data Recovery in Database Server [2] Mahant, S. H. and Meshram, B. B. 2012. NTFS Deleted Files Recovery: Forensics View. International Journal of Computer Science and Information Technology & Security, 2(3): 491-497. [3] Al-Hajri, H. and Williams, P. 2007. The Effectiveness of Investigative Tools for Secure Digital (SD) Memory Card Forensics. Originally published in the Proceedings of the 5th Australian Digital Forensics Conference, Edith Cowan University, Perth Western Australia. http://ro.ecu.edu.au/adf/3 [4] Bansal, A., Agrawal, A., Sankhla, M. S. and Kumar, R. 2016. Computer Forensic Investigation on Hard Drive Data Recovery: A Review Study. Journal of Computer Engineering, 18(5): 39-42. [5] Chandsarkar, A. and Patil, S. 2016. Simplifying Data Recovery with Advance Techniques and Operations. International Journal of Computer Science and Technology, 7(4): 217-221. [6] Kumar, A. S. 2013. Cyber Forensics in Kerala. International Journal of Computer Science and Mobile Computing, 13: 74-79. [7] Casey, E. and Stellatos, G. J. 2008. The Impact of Full Disk Encryption on Digital Forensics. ACM SIGOPS Operating Systems Review, 42(3): 93-98. [8] Son, N., Lee, Y., Kim, D., James, J. I., Lee, S. and Lee, K. 2013. A Study of User Data Integrity during Acquisition of Android Devices. Digital Investigation, 10: 3-11. [9] Buchanan-Wollaston, J., Storer, T. and Glisson, W. 2013. A Comparison of Forensic Toolkits and Mass Market Data Recovery Applications. In: Ninth Annual IFIP WG 11.9 International Conference on Digital Forensics, National Center for Forensic Science Orlando, FLA, USA. http://eprints.gla.ac.uk/71698/ [10] Sansurooah, K. 2009. A Forensics Overview and Analysis of USB Flash Memory Devices. Originally published in the Proceedings of the 7th Australian Digital Forensics Conference, Edith Cowan University, Perth Western Australia, December 3rd 2009. http://ro.ecu.edu.au/adf/70

IJRAR19J1280 International Journal of Research and Analytical Reviews (IJRAR) www.ijrar.org 1106