Statistical Disk Cluster Classification for File Carving

  • Authors:

  • Cor J. Veenman

  • Affiliations:

  • University of Amsterdam, the Netherlands/ Netherlands Forensic Institute, Netherlands

  • Venue:
  • IAS '07 Proceedings of the Third International Symposium on Information Assurance and Security
  • Year:
  • 2007

Quantified Score

Hi-index 0.00

Visualization

Abstract

File carving is the process of recovering files from a disk without the help of a file system. In forensics, it is a helpful tool in finding hidden or recently removed disk content. Known signatures in file headers and footers are especially useful in carving such files out, that is, from header until footer. However, this approach assumes that file clusters remain in order. In case of file fragmentation, file clusters can be disconnected and the order can even be disrupted such that straighforward carving will fail. In this paper, we focus on methods for classifying clusters into file types by using the statistics of the clusters. By not exploiting the possible embedded signatures, we generate evidence from a different source that can be integrated lateron. We propose a set of characteristic features and use statistical pattern recognition to learn a supervised classification model for a range of relevant file types. We exploit the statistics of a restricted number of neighboring clusters (context) to improve classification performance. In the experiments we show that the proposed features indeed enable the differentation of clusters into file types. Moreover, for some file types the incorporation of cluster context improves the recognition performance significantly.