sign in sign up
<<
Home , Recuva, Vol (command)

Annals of R.S.C.B., ISSN:1583-6258, Vol. 25, Issue 4, 2021, Pages. 19600- 19611 Received 05 March 2021; Accepted 01 April 2021.

A Novel tool for in cyber forensics

Revathi Jagarlamudi1 MTech Student, Department of CSE (Cyber Security and digital Forensics), Koneru Lakshmaiah Educational Foundation,Vaddeswaram, A.P, India, [email protected] Dr. G. Rama koteswar Rao2 Professor, Department of CSIT(Computer Science and Information Technology),Koneru Lakshmaiah Educational Foundation,Vaddeswaram, A.P, India, [email protected]

ABSTRACT-Digital forensics has become an essential bit of many cyber security programs universally and information recovery is a vital segment of cyber forensics. Data recovery mechanism plays a fundamental role in ensuring the security of computer information and it is a hot stock of current informatization in many industries. By exploring the information storage structure of the hard disc, this paper addresses the fundamental technology of hard disc, data recovery and discusses the information recovery technique and its realization combined with the specific development. FAT and NTFS are considered as the popular file systems supported by Windows OS. Aiming towards information loss on Windows file systems this paper concentrates upon the essential objectives of information recovery on Windows FAT and NTFS and provides corresponding resolution.

Keywords: Data Recovery, Hard disc, Windows file systems, , NTFS. I. INTRODUCTION With the rapid growth of data technology, computers play a progressively crucial part in every individual’s work and life, and computer information security issues are getting increasingly distressed. Plentiful data is put away as information on file systems. As a principal part of data management, the security of information has been paid increasingly concerned attention by every individual. Stepwise instructions to recuperate lost information rapidly and effectively becomes an important issue. The loss and destruction or disruption of information usually cause irreparable consequences [1]. As of now, the share in market for Windows surpasses 92%, and FAT and NTFS[2] are the mainstream file systems supported by Windows OS. Consequently, this paper focuses predominantly on the development of data recovery application for Windows FAT32 and NTFS[3]. A. Fat File System The file allocation table file system or FAT is developed for hard drives and is used to administer files on the hard drives through the operating system[4]. It is comprised of four areas. They are: Reserved sectors The originally reserved area (logical sector 0) is the Boot Sector (likewise called Boot Record or essentially VBR). It incorporates a territory called the BIOS Parameter Block (BPB) which contains some fundamental file system data, specifically its and pointers to the area of different sections, and ordinarily contains the boot loader code of OS(operating system). FAT Region FAT Region commonly contains two duplicates of the File Allocation Table with the scope of checking the redundancy. They are occasionally utilized by the disc repair serviceability. These are guides of the Data Region, demonstrating which clusters are utilized by documents and directories. In FAT12 and FAT16 they promptly follow the reserved sectors. FAT Region= (number of FATs) * (number of sectors per FAT) Root Directory Region This is a Directory Table which stores information regarding the documents and directories situated in the root directory. It is just utilized with FAT12 and FAT16 and forces on the root directory a fixed most extreme size which is pre-allocated making of this volume. FAT32 stores the source index in Data Region, alongside documents and distinct directories, permitting it to develop without such a constraint. Root Directory Region= (number of root entries * 32)/(number of bytes per sector)Data Region This region is the area where the genuine document and the directory data is stored and takes up a large portion of the segment.

19600 http://annalsofrscb.ro Annals of R.S.C.B., ISSN:1583-6258, Vol. 25, Issue 4, 2021, Pages. 19600- 19611 Received 05 March 2021; Accepted 01 April 2021.

Data Region= (number of clusters) * (number of sectors per cluster)

B. Classification Of Data Recovery From the viewpoint of data recovery strategies, there are especially three kinds of software recovery techniques, they are software and hardware recovery techniques and deep signal recovery techniques. The software recovery technique is mostly to utilize data recuperation software to regain information when the hard disc can in any case be utilized. This recovery technique is low in recuperation cost, yet it is weak for those hard discs that have been physically damaged. Software and hardware mixed technique is to fix the hard disc or open the disc to read the information within the disc and afterwards utilize the software to reestablish the information[5]. The deep signal recovery technique analyzes the condition of the deep magnetic medium on the surface area of the disc and illuminates the crystal with rays of various wavelengths and various intensities to generate distinctive reflection, refraction and diffraction signals [6]. However, because of the complexness of the technology and the high price of recovery along these lines, and as of now couple of countries on the planet can have such technology. just few large-scale computer organizations and government offices at no cost will have this degree of data recovery equipment [7].

II. LITERATURE SURVEY Ref [7] Zhang Kai, Cheng En and Gao Qinquan focused on the demand of cyber forensics dependent on NTFS file system and proposed a strategy for object-arranged technique to design and examine NTFS file system. The acquire relationship and encapsulation of classes are utilized to profoundly examine various kinds of data resources. It accomplishes the typical file analysis as well as recovers the deleted file. A solid data source for the PC forensics is given. Simultaneously, numerous interfaces have reference incentive for the idea of upper cyber forensic software. Ref [8] Sameer H. Mahant B.B. Meshram stated that discovering evidence in deleted documents and restoring them is significant for investigation. They portrayed the inward details on NTFS file system and how does it handle the deleted documents, which could be utilized to check the results of recovery applications. They have likewise proposed a strategy which will in quicker recovery of deleted documents. Ref [16] Van Dai Tran, Dong-Joo Park targeted on flash memory, this memory has an ever-increasing number of applications throughout everyday life and capacity improvement solutions are generally applied in the support gadgets. It is critical to information when something turns out badly with Flash memory in cases a sudden power outage or failure. In this manner, recovering information is a fast and furious research field and draws in a great deal of researchers. Until now, there are numerous specialized solutions have been proposed. Ref [20] Joe Buchanan-Wollaston, Tim Storer and William Glisson has compared the information recovery abilities of five applications under indistinguishable conditions to survey the recovery speed with which applications complete the information recovery process and the degree of the variations between the applications regarding the files recovered. No two applications produced identical outcomes, and no application recuperated all the files in a disk image ("all" is characterized at the aggregate of the distinct documents collectively recuperated by the tools). Ref [21] Yinghua Guo and Jill Slay focused on mapping the essential elements of the cyber forensic discipline is an amazing methodology for making a function- oriented validation and confirmation worldview for computerized forensic tools. The utility of the methodology is shown with regards to the information recovery function through the specification of information recovery prerequisites and a reference set for testing applications that actualize the information recovery function. Validating a computerized forensic application is reduced to testing the application against the reference set. III. ANALYSIS ON DATA RECOVERY TECHNOLOGY A. Hard Disk Storage Structure To recover the deleted data, right off the bat we should comprehend the standards of data storage. The storage structure of the hard disc includes five sections MBR area, DBR region, FAT area, section and data area. 2

19601 http://annalsofrscb.ro Annals of R.S.C.B., ISSN:1583-6258, Vol. 25, Issue 4, 2021, Pages. 19600- 19611 Received 05 March 2021; Accepted 01 April 2021.

Fig1: Hard disk storage structure The MBR (Main Boot Record) area [8] is situated in the 0 track 0 Cylinder 1 sector of the whole hard disc, which possesses a total of 512 bytes. It comprises of a 446-byte master boot program, a 64-byte partition table record and a 2-byte end tag ("55AA"). Its definitive content is produced by the partition program and it does not have a place with any operating system. Its principal function is to check whether the partition table is correct and reel off the OS boot program in boot partition [9]. It cannot be instantly accessed by the operating system, and information is commonly read through Int 13 or extended Int 13. The DBR (DOS Boot Record) region is situated at track 0, 1 cylinder, and 1 sector. It is the primitive area which can be straightforwardly accessed by the OS (operating system). It consists of the boot program and BPB (BIOS Parameter Block). It is produced by the formatter distinctive partition of DBR vary. The FAT (File Allocation Table) area file system to a(FAT) file allocation table space and it has the accordance with the disc data blocks. Every item consumes 1.5 bytes in FAT12, each item occupies 2 bytes in FAT16, and every item possesses 4 bytes in FAT32. In this way, it is not too hard to determine the length or range of the FAT when the partition volume or size is known. For prohibit unexpected harm of FAT, the system especially backs up a homogeneous FAT behind the FAT. At the moment when principal FAT is harmed, the subsequent FAT can be restored and utilized again. The Dir (Directory) section is a file directory table, which facilitate FAT to discover the accurate location of a file. Note that only file name, length, beginning position, modification day, creation and last access date are saved in the Dir section. The data area is the real storage area of the file and data area saves the comprehensive content of that file. B. Data Recovery Technology

Data recovery is the procedure where the data which is damaged or corrupted or lost is recovered or retrieved from storage devices. This technique is applied when the information is unobtainable by ordinary methods for example either the information inside is corrupted or totally formatted or when the storage device is damaged [10]. The data recovery technology is utilized in public security judiciary in anticipation an assortment of computer crime. With the increasing popularity of computers, an ever-increasing number of firms to utilize computers, so computer and network crimes become to an ever-increasing extent. In the wake of completing crimes utilizing computers, the criminals tend to scrub up traces of their crimes, which creates great trouble during investigation, so it is critical to restore the information. Data recovery process can be utilized for computer crime scene investigation[11], offline survey, online survey, and a variety of applications. The data recovery can generally ensure the objectivity, and integrity of the original evidence, subsequently enhancing the investigation of computer crime detection ability and proficiency.

19602 http://annalsofrscb.ro Annals of R.S.C.B., ISSN:1583-6258, Vol. 25, Issue 4, 2021, Pages. 19600- 19611 Received 05 March 2021; Accepted 01 April 2021.

Fig 2: Data flow diagram of data recovery 1) Delete Recovery FAT Partition File Recovery In the FAT partition, once we delete a file, solely the data content of File Allocation Table area and Dir area are altered. During this procedure, the system changes the initial byte of parallel file in Directory area to " E5 H", and afterward clears the parallel FAT record to zero the utilized space, marks the relating area as unused, and alters the data content At the point when a file is stored frequently, we can undoubtedly restore the deleted file. Although mostly we might change the content of certain files or while leftover disc space is not very huge, the files might be stored or scattered[12]. As of now, while recovering data, we can only judge and evaluate the information from numerous aspects to accurately recover the data. NTFS Partition File Recovery NTFS partition is analogous to FAT, except that it will not alter FAT and Dir while deleting files but alters MFT and bitmap records. Delete files MFT in the recording procedure relating to a file 16 H 2 0 to byte which denotes the MFT record is erased, and afterward documented in MFT, MFT comparing to the bitmap bit was cleared. Lastly, clear the bitmap comparing to the file to finish the file deletion activity. Refer to Master File Table record and data stream format. The starting position and length of every data segment of file recorded in detail in the information recorded by MFT (80 H) can smoothly restore the data[13], rather than bothering about the recovery impact as the file is not frequently stored like FAT. 2) Format Recovery FAT Partition At the point when we reformat the disc, we just rewrite the information within DBR, FAT area and also root directory area. Hence the information within the disc will still be recovered thereafter partitioning and formatting [14]. In any case, after the partition is reformatted, the root directory entry of the previous partition could not be seen, and cluster size of the previous parcel cannot be precisely known. Subsequently unformat the weight trouble lies in deciding the cluster size and location of the root directory. While formatting and restoring, firstly determine the beginning position and cluster size of data area, next look for the remaining directory data within the partition and then lastly restore the data [15]. This approach has the advantage of: • It is easy to implement and it is not necessary to master the file format of the body. • Search speed is high. disadvantage is: • It just can disclose the File Directory Table in the initial or first cluster in each directory and could not disclose the FDT saved in the back • It is tough to restore while the files were not stored continuously.

19603 http://annalsofrscb.ro Annals of R.S.C.B., ISSN:1583-6258, Vol. 25, Issue 4, 2021, Pages. 19600- 19611 Received 05 March 2021; Accepted 01 April 2021.

NTFS Partition To recuperate the data in NTFS partition, predominantly look for leftover MFT records[16] in the partition to recover information. Immediately after reading the NTFS partition data cautiously, you will locate that all file description data is saved in the files MFT record [17], including file name, file size, beginning position, length, creation date and other information. furthermore, each MFT record header is denoted with the " FILE" in the beginning. Therefore, recovering files in NTFS partition can be stated as follows: • the sector beginning with “FILE” in the partition. • Further examine the content in the sector and decide whether it is the real MFT record. • Interpret the read data content as indicated by the MFT record format. • Number of clusters of a file, file occupied space and file size, calculate the cluster size of the previous partition. • Recover data. Since the information stream in MFT detail the record storage location of the file, so NTFS partition utilizing format recovery restoration success data is a lot higher than the FAT segment or partition. 3) Raw Recovery While recovering data, you may experience a situation where the directory structure or MFT has been destroyed completely and the genuine data content of a file is not overwritten [18]. In such situation, the delete recovery and format recovery strategies seem powerless. Raw file recovery is a search technique, utilizing this technique to read the partition all sectors, subsequently searching for a specific tag file header[19]. The fundamental steps are in such a way that: first compare the information read from that sector with the data in the database to decide if it is a known file format. At that point determine the file size as indicated by the record header and the information in database[20]. At the last restore the specific information in continuous storage space of the information. Advantage is The advantage of utilizing this recovery strategy is the high success rate in data recovery. The disadvantages are: • Searching speed of a file is slow, and the number of every sector read must be contrasted with the data in the database. • It is hard to execute, expecting developers to consult a large amount of data and understand the file headers of various types of files. • Since the text file is an unformatted file and has no file header, the plain text file cannot be restored.

IV. METHODOLOGY USED IN PROPOSED SYSTEM

Create the file handle. Read the data present in drive to acquire MFT start area by passing boot area address. Evaluate bytes per file record and begin scanning from 25th record based on LBA. For each MFT record. On the remote possibility that record starts with “FILE” and flag is 0, increment deleted documents count. Discover attribute filename in that record[21]. On the remote possibility that discovered attribute is filename and flag is 0 acquire filename, else read next record. Discover the data attribute of the record which is erased. Open the document of similar name as the deleted file in the new location to recover the content. Get the information offset from the resident or non-occupant attributes. Compose the data recuperated from the clusters into the newly opened file. Then Close the newly opened file record.

19604 http://annalsofrscb.ro Annals of R.S.C.B., ISSN:1583-6258, Vol. 25, Issue 4, 2021, Pages. 19600- 19611 Received 05 March 2021; Accepted 01 April 2021.

19605 http://annalsofrscb.ro Annals of R.S.C.B., ISSN:1583-6258, Vol. 25, Issue 4, 2021, Pages. 19600- 19611 Received 05 March 2021; Accepted 01 April 2021.

Fig 3: Flow chart for data recovery As determined in the figure 3, when th e client dispatches this data recovery application or tool, client needs to choose desired storage drive from where required file should be recovered. At that point, the tool will make a deep scan on the drive and then preventv information altering of original document and protect integrity of files[22]. Then, client needs to use the recovery method for fractional recovery which is the recovery based on the file type and file system. Uncertainly, recovery is depended on file type strategy. They should pick file types like audio, video, images, documents and so on that they wish to recuperate. Subsequently choosing the alternatives, the tool will begin filtering the drive and analyses each byte of disc sector. At that point, the tool will look for file signatures for chosen file type and show the resultant folder and files. Implementation of the tool The logical information recovery strategy is implemented as a software and has been assessed for specific parameters similarly recovery based on content and speed. The recovery of the lost data using this novel application is done as shown below.

Fig 4: Selecting a file to delete and recover

Here, we selected a file to perform the deletion operation on that file. Next, recover that file using this data recovery software. 19606 http://annalsofrscb.ro Annals of R.S.C.B., ISSN:1583-6258, Vol. 25, Issue 4, 2021, Pages. 19600- 19611 Received 05 March 2021; Accepted 01 April 2021.

Fig 5: Content present in the selected file

Open the selected file and view the content of that file to compare and conclude finally if the file which we recovered is the file which got deleted earlier and intended to recover.

Fig 6: Permanent deletion of selected file

Permanently deleting the file for performing recovery on that file.

Fig 7: Recovery application interface

Here we can see the design of the data recovery tool interface. Click on start and run the application.

Fig 8: Selecting the deleted file for recovery

After running the application, we need to select the drive from where that file got deleted. If needed enable the check boxes namely “Get File Paths” and “Check File Integrities” to observe file paths and to check whether the file space was overwritten after deletion operation. All the deleted files will get displayed. The left bottom corner is allotted for the preview of all the displayed files. Click on the file to preview the file name or file data 19607 http://annalsofrscb.ro Annals of R.S.C.B., ISSN:1583-6258, Vol. 25, Issue 4, 2021, Pages. 19600- 19611 Received 05 March 2021; Accepted 01 April 2021.

and select the file to recover. Then click on the search for deleted files and select the destination address to store the recovered file, click on ok.

Fig 9: Recovering the file

The file got recovered successfully to the defined destination address.

Fig 10: Recovered file

The file which we recovered to the destination address is shown above with the new filename

Fig 11: Opening the recovered file

Open the file and check whether it is the required file. Compare the file to conclude if it is the file which is deleted earlier. Thus, the process of recovery is successful using this Data recovery software.

V. RESULT ANALYSIS

Table 1 below shows the comparison of features for some data recuperation tools with the developed novel data recovery tool. By analyzing this we can know the advantages of this tool and features that this tool facilitates effectively than other tools. This tool facilitates the effective file recovery, can preview all types of files, ensures data protection including data integrity and also involves deep scanning on the drive. This tools mainly ensures the high-speed scanning and recovery on comparison with the other recovery tools.

19608 http://annalsofrscb.ro Annals of R.S.C.B., ISSN:1583-6258, Vol. 25, Issue 4, 2021, Pages. 19600- 19611 Received 05 March 2021; Accepted 01 April 2021.

TABLE I. Comparison of features for recovery tools

Tools/Features File All types of file High speed Data Deep Recovery preview scanning Protection Scanning &recovery

Recuva √ √ Ease US √ √ Disk √ √ √ √ Drill Novel tool √ √ √ √ √ The below histogram compares about the performance of the developed novel data recovery tool with two other recovery software's [23]. Create a drive partition and upload identical files which act as test inputs for using different data recovery tools including the developed tool. The test input involved 6 files altogether. 1 video file, 2 audio files, 1 text file of word format, 1 Pdf file and 1 image file. All the above listed files were deleted. Now the developed novel tool runs and recovers the deleted files. Simultaneously other recovery software's also gets executed to recover the same files [24]. The speed registered is comprehensive of examining time. The deleted file listing and recovery segment is estimated as number of deleted files listed and recovered.

Fig12: Histogram for results comparison Many applications attempt to recover data with the aid of low-level scan. Low level scan will not consider the drive's arrangement or index and information recovery is done depending on the file signature [25]. This technique examines the whole drive attempting to validate file signatures through headers and footers. It is increasingly slow and will not uphold the fragmented file recovery as location of the clusters is undetermined. The novel data recovery tool performs to a certain extent which is better than the low-level scans with regards to speed, fragmentation and file details like filename and size [26].

VI. CONCLUSIONS In the current technology-driven society, information security is progressively significant. Data recovery innovation is the fastest developing and the most powerful technology, with an immense market and improvement possibilities in the field of cyber security and maintenance. This paper examines the hard disc storage structure, centers around the structure of FAT and NTFS file systems, analyses file records and key attributes and the mechanisms of data storage in both FAT file system and NTFS and proposes the accompanying solution for the lost data recovery. on this premise, the recovery strategy for the lost or deleted files is given. By correlation, the NTFS file system is simpler to discover lost files and recover those files because of its convenient circumstances within its structure and file storage system. data recovery is just a remedy after data loss. We ought to develop great habits to back up important data, particularly the operating staff should consistently back up your data, guard against data loss.

19609 http://annalsofrscb.ro Annals of R.S.C.B., ISSN:1583-6258, Vol. 25, Issue 4, 2021, Pages. 19600- 19611 Received 05 March 2021; Accepted 01 April 2021.

VII. REFERENCES [1] Anmol bansal, Aastha Agrawa, Mahipal Singh Sankhla and Rajeev Kumar, "Computer Forensic Investigation on Hard Drive Data Recovery", IOSR Journal of Computer Engineering, pp. 39-40, 2017. [2] Liu Naiqi1, Wang Zhongshan2, Hao Yujie3, QinKe4 (2008). “Computer forensics research and implementation based on NTFS file system”. Proceedings -ISECS International Colloquium on Computing, Communication, Control, and Management, CCCM 2008, 1, 519–523. doi:10.1109/CCCM.2008.236. [3] Suleyman Gokhan Taskin, Ecir Ugur Kucu ksille. “Recovering Data Using MFT Records in NTFS File System”. Academic Perspective Procedia 1(1):448-457, doi: 10.33793/acperpro.01.01.88, November 2018. [4] Zhang, N., Jiang, Y., & Wang, J. (2020). “The Research of Data Recovery on Windows File Systems”. 2020 International Conference on Intelligent Transportation, Big Data & Smart City (ICITBS). doi:10.1109/icitbs49701.2020.00141. [5] Bhagyashri P. Deshpande, Prof.Ram Meghe. “The Advanced Way of Data Recovery”. international Journal of Computer Science and Applications Vol. 6, No.2, Apr 2013 ISSN: 0974-1011 (Open Access) [6] Advait Chandsarkar, Suchitra Patil. “Simplifying Data Recovery with Advance Techniques and Operations”. International Journal of Computer Science and Technology IJCST Vol. 7, Issue 4, Oct - Dec 2016. [7] Guo Xiwei, “Analysis on Computer Data Recovery Technology and the Applications”. International Conference on Management, Computer and Education Informatization (MCEI 2015). [8] Qingshan Yao, Chunying Gu (2010). “Research and Implementation of Data Recovery Technology Based on WINDOWS FAT”. 2010 International Conference on Machine Vision and Human-Machine [9] Sudhakar Sengan, Ganga Rama Koteswara Rao, Osamah Ibrahim Khalaf and M. Rajesh Babu, “Markov mathematical analysis for comprehensive real-time data-driven in healthcare”, Vol. 12, No. 1, February 2021, PP. 71-94, ISSN 2041-3165 [10] Na Zhang (2013). Research and Implementation on Partition Table Recovery of Data Recovery Technology. Applied Mechanics and Materials Vols. 336-338 (2013) pp 2221-2224. doi:10.4028 /www.scientific./amm.336-338.2221. [11] Van Dai Tran, Dong-Joo Park, “A survey of data recovery on flash memory”. International Journal of Electrical and Computer Engineering (IJECE) Vol. 10, No. 1, February 2020, pp. 360~376 ISSN: 2088- 8708, DOI: 10.11591. [12] Shashank Tomer, Aviral Apurva, Pranshu Ranakoti, Saurav Yadav, Nihar Ranjan Roy(2017). “Data recovery in Forensics”. 2017 International Conference on Computing and Communication Technologies for Smart Nation (IC3TSN). doi:10.1109/ic3tsn.2017. 8284474. [13] Reddy,L.H., Thamognudu, Y. & Sreeram, G. 2019, "Deployment of a secured web application using cryptanalysis in cloud environment", International Journal of Engineering & Advanced Technology, Vol. 8, No.4, PP. 1841-1844. [14] Min Zhou. (2014). Research on Recovery of Computer Data Based on Windows System. Applied Mechanics and Materials Vols. 608-609 (2014) pp 603-606. doi:10.4028 /www.scientific.net/amm. 608- 609.603. [15] Mr. Dhruv Prajapati, Mr. Anisetti Anjaneyulu, Mr. Nirav Patel 3. Analysis of Deleted Data in NTFS Filesystem. International Journal for Science and Research in Technology (IJSART) volume 1 Issue2– FEBRUARY 2015. [16] Cuiyuan YU1, Jie Shan (2014). Research and Implementation of Data Recovery Technology in Campus Computer Labs Based on Hidden Partition on Windows Systems. Advanced Materials Research Vols 971- 973 (2014) pp 1706-1709. doi:10.4028 /www.scientific.net/amr.971-973.1706. [17] Eoghan Casey, Alex Nelson, Jessica Hyde (2019). Standardization of file recovery classification and authentication. Digital Investigation. doi:10.1016/ j.diin.2019.06.004 [18] Kai, Z., En, C., & Qinquan, G. (2010). “Analysis and Implementation of NTFS File System Based on Computer Forensics”. 2010 Second International Workshop on Education Technology and Computer Science. doi:10.1109/etcs.2010.434. [19] Ashrad,M & Hussain, M.A. 2019, " An efficient attack defensive models for web security", International Journal of Engineering & Advanced Technology, Vol. 8, No.5, PP. 969-974. [20] Mahant, S. H. and Meshram, B. B. (2012). “NTFS Deleted Files Recovery: Forensics View”. IRACST - International Journal of Computer Science and Information Technology & Security (IJCSITS), ISSN: 2249- 9555 Vol. 2, No.3, June 2012. [21] Guo Y., Slay J. (2010) Data Recovery Function Testing for Digital Forensic Tools. In: Chow KP., Shenoi S. (eds) Advances in Digital Forensics VI. Digital Forensics 2010. IFIP Advances in Information and Communication Technology, vol 337. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-15506-2_21.

19610 http://annalsofrscb.ro Annals of R.S.C.B., ISSN:1583-6258, Vol. 25, Issue 4, 2021, Pages. 19600- 19611 Received 05 March 2021; Accepted 01 April 2021.

[22] Al Sharif, S., Al Ali, M., Salem, N., Iqbal, F., El Barachi, M., & Alfandi, O. (2014). An Approach for the Validation of File Recovery Functions in Digital Forensics’ Software Tools. 2014 6th International Conference on New Technologies, Mobility and Security (NTMS). doi:10.1109/ntms.2014.6814005. [23] Ganga Rama Koteswara Rao., Satya Prasad R," A Three-Pronged Approach to Mitigate Web Attacks ", Advances in Intelligent Systems and Computing, PP. 71-83, Vol 1163. Springer, Singapore. https://doi.org/10.1007/978- 981-15-5029-4_7,August,2020. [24] Kausalyani A/P Angamutu1, Nor Azlina Abd Rahman1 and Nik Nurul Ain Nik Suki, “A Customized Data Recovery Tool“ Journal of Physics: Conference Series, Volume 1712, International Conference On Computational Physics in Emerging Technologies (ICCPET) 2020 1 August 2020, Mangalore, India. [25] Buchanan-Wollaston J., Storer T., Glisson W. (2013) “Comparison of the Data Recovery Function of Forensic Tools”. In: Peterson G., Shenoi S. (eds) Advances in Digital Forensics IX. Digital Forensics 2013. IFIP Advances in Information and Communication Technology, vol 410. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-41148-9_22. [26] Abhinav Singh, Dr. Suneet Kumar. “Working efficiency of the sleuth kit in forensic data recovery: a review”. International Journal of All Research Education and Scientific Methods (IJARESM), ISSN: 2455- 6211 Volume 8, Issue 6, June-2020, Impact Factor: 4.597.Interface. doi:10.1109/mvhi.2010.2014.

19611 http://annalsofrscb.ro