Data carving using artificial headers
Proceedings of the 13th Annual Security Conference
School of Science / ECU Security Research Institute
Digital forensic tools are an essential requirement in criminal and increasingly civil cases in order to process electronic evidence. Investigators rely upon the functionality of these tools to identify and extract relevant artifacts. One of these key processes is data carving – an approach that ignores the file system and analyses the drive for files that match a particular signature. Unfortunately, however, other than simple files, data carving has many limitations that result in either missing files or producing high numbers of false alarms. The core of their detection is largely based upon a signature appearing in the header of the file. However, for files that have corrupted or missing headers, modern data carvers are unable to recover the file successfully. This paper proposes a new approach to data carving that inserts an artificial header onto the file, thereby circumventing the header issue. Experiments have demonstrated that this approach is able to successfully recover files that no current data-carving tools are able to achieve.