Classification and Recovery of Fragmented Multimedia Files using the File Carving Approach

Classification and Recovery of Fragmented Multimedia Files using the File Carving Approach

Rainer Poisel (Institute of IT Security Research, St. Poelten University of Applied Sciences, Sankt Pölten, Austria), Marlies Rybnicek (Institute of IT Security Research, St. Poelten University of Applied Sciences, Sankt Pölten, Austria), Bernhard Schildendorfer (Institute of IT Security Research, St. Poelten University of Applied Sciences, Sankt Pölten, Austria) and Simon Tjoa (Institute of IT Security Research, St. Poelten University of Applied Sciences, Sankt Pölten, Austria)
DOI: 10.4018/jmcmc.2013070104
OnDemand PDF Download:
$30.00
List Price: $37.50

Abstract

File carving is a recovery technique which does not consider file tables or other meta-data which is used to organize data on storage media. As files can be recovered based only on their content and/or structure, this technique is an indispensable task during digital investigations. The main contribution of this paper is the description of procedures that allow for successful content-based recovery of multimedia files from their fragments. So far many approaches for the recovery of digital images have been proposed. After a short discussion of relevant representatives in this domain the authors focus on the applicability of these approaches to the recovery of multimedia files.
Article Preview

Introduction

In our society information vastly gained importance, hence the term “information society”has been introduced. The creation, manipulation, distribution and use of information have become significant in fields such as economy, politics and culture (Beniger, 1989). As a consequence, the development, distribution and usage of electronic devices as well as the exchange of information has steadily increased in recent years. Kryder’s Law states that the capacity of magnetic storage media such as hard disks is growing faster than processor speed (Walter, 2005). According to Moore's Law processor speed is doubling every 18 months. Storage capacity has increased by 50 million times since the introduction of the disk drive in 1956. In 2008, the number of computers in use has surpassed the one billion mark (Gartner/Reuters, 2008). The number of mobile phones in use worldwide is still increasing as well: from 2009 to 2010 this number increased from 3.9 billion to 4.2 billion devices (increase by 7% in just one year) (BBC News, 2010).

In 2010, Germany's Federal Criminal Police Office showed in their most recent report (2009) that the total number of crime committed using computers has increased (by 0.7%) while the detection rate has decreased (by 3.2%) (Polizeiliche Kriminalstatistik, 2011). This development can be traced back to the huge amount of data that has to be processed in each case. In a recent congress held by the Francophone Association for Digital Investigation (AFSIN) on average, each suspect owns 5 hard disks, 140 CDs or DVDs and 4 memory cards and USB sticks. When investigating businesses the amount of data is even higher with up to 31 hard disks and 14 terabytes for a single case (McAfee Avert Labs, 2010).

Various devices are available for the storage of media. In the last years the deployment of flash-based storage has increased. It can be found in solid-state devices (SSDs), “Secure Digital” (SD) cards and memory sticks which are often used to store private, corporate and public information. As recovery strategies are key components for disaster recovery, forensics and e-discovery, Pal and Memon highlighted the need for improvements in this field in their paper (Pal & Memon, 2009).

Classical approaches for the recovery of files from corrupted storage media are often based on file system information (Carrier, 2005). Digital investigators consider content based approaches in case required file system information is not available: “File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data” (Pal, Sencar, & Memon, 2008). Fragmentation complicates content based file recovery as it shuffles the constituent parts of files which should be recovered. Pal et al. (Pal, Sencar, & Memon, 2008) gave various reasons why fragmentation occurs on storage media. Solid state devices for example utilize wear-leveling algorithms to extend their lifetime. Here storage cells are used in an even fashion, but it is difficult to determine the correct sequence of blocks as most wear-leveling algorithms are proprietary and therefore unknown to the digital investigator.

Recent developments have shown that content based recovery strategies are computationally intensive (Pal & Memon, 2006). As computing platforms that support the parallel execution of computationally expensive jobs are on the rise (Garfinkel, 2010) the distribution of jobs to several nodes is considered as well. Future research ideas are given and discussed in detail.

Complete Article List

Search this Journal:
Reset
Open Access Articles: Forthcoming
Volume 8: 4 Issues (2017)
Volume 7: 4 Issues (2016)
Volume 6: 4 Issues (2014)
Volume 5: 4 Issues (2013)
Volume 4: 4 Issues (2012)
Volume 3: 4 Issues (2011)
Volume 2: 4 Issues (2010)
Volume 1: 4 Issues (2009)
View Complete Journal Contents Listing