Carving Contiguous and Fragmented Files with Fast Object Validation

Abstract

"File carving" reconstructs files based on their content, rather than using metadata that points to the content. Carving is widely used for forensics and data recovery, but no file carvers can automatically reassemble fragmented files. We survey files from more than 300 hard drives acquired on the secondary market and show that the ability to reassemble fragmented files is an important requirement for forensic work. Next we analyze the file carving problem, arguing that rapid, accurate carving is best performed by a multi-tier decision problem that seeks to quickly validate or discard candidate byte strings - "objects" - from the media to be carved. Validators for the JPEG, Microsoft OLE (MSOLE) and ZIP file formats are discussed. Finally, we show how high speed validators can be used to reassemble fragmented files.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Jan 01, 2007
Accession Number
ADA576165

Entities

People

  • Simson Garfinkel

Organizations

  • Naval Postgraduate School

Tags

Communities of Interest

  • Biomedical
  • Energy and Power Technologies

DTIC Thesaurus Topics

  • Algorithms
  • Boundaries
  • Computational Forensics
  • Computers
  • Containers
  • Data Sets
  • Databases
  • Directories
  • Electronic Mail
  • Health Care
  • Metadata
  • Operating Systems
  • Recovery
  • Standards
  • User Interface
  • Validation
  • Word Processors

Fields of Study

  • Computer science

Readers

  • Canadian European Scientific Immigration and Epilepsy Clearance Studies
  • Database Systems and Applications