Title

Data carving using artificial headers

Document Type

Conference Proceeding

Publication Title

Proceedings of the 13th Annual Security Conference

Publisher

Information Institute

School

School of Science / ECU Security Research Institute

RAS ID

18533

Comments

Originally published as: Daniel, R., Clarke, N. L., & Li, F. (2014). Data Carving using artificial headers. In proceedings of the Annual Information Institute Conference, May, 22-24, 2014. Original publication available here

Abstract

Digital forensic tools are an essential requirement in criminal and increasingly civil cases in order to process electronic evidence. Investigators rely upon the functionality of these tools to identify and extract relevant artifacts. One of these key processes is data carving – an approach that ignores the file system and analyses the drive for files that match a particular signature. Unfortunately, however, other than simple files, data carving has many limitations that result in either missing files or producing high numbers of false alarms. The core of their detection is largely based upon a signature appearing in the header of the file. However, for files that have corrupted or missing headers, modern data carvers are unable to recover the file successfully. This paper proposes a new approach to data carving that inserts an artificial header onto the file, thereby circumventing the header issue. Experiments have demonstrated that this approach is able to successfully recover files that no current data-carving tools are able to achieve.

Access Rights

free_to_read

Share

 
COinS