Analysis of Forensic Tools for Recovery of Formatted Data: a case study with Microsoft Word files

Rubens Karman Paula da Silva; Islan Amorim Bezerra; Sidney Marlon Lopes de Lima; Sérgio Murilo Maciel Fernandes

doi:10.22456/2175-2745.140149

Authors

Rubens Karman Paula da Silva Universidade de Pernambuco (UPE) https://orcid.org/0000-0001-9388-9889
Islan Amorim Bezerra Universidade de Pernambuco (UPE)
Sidney Marlon Lopes de Lima Universidade Federal de Pernambuco (UFPE)
Sérgio Murilo Maciel Fernandes Universidade de Pernambuco (UPE)

DOI:

https://doi.org/10.22456/2175-2745.140149

Keywords:

Digital forensics, Data Carving, File Carving, Performance analysis, Word documents

Abstract

Deleting or formatting files to hide a crime can be considered a frustrating action, given the ease of using forensic software that implements data carving techniques. This research aims to evaluate the accuracy of forensic data carving software when subjected to recovering formatted Microsoft Word files. The software chosen is widely used in the field and has been featured in scientific papers: Foremost, Scalpel, Recurva, PhotoRec, Autopsy and Magic Rescue. The metrics analyzed were: software execution time, number and size of files recovered, number of false positives and true positives generated in three test scenarios. Validation took place by comparing the resulting files with the originals using a hash algorithm. To structure the test scenarios, a dataset was built with 16,000 copies of files of various lengths. In each scenario, the number of files and the requirements that the software was subjected to varied, with only doc or docx files being recovered. Of the software analyzed, Recuva, Autopsy and PhotoRec had the highest percentages of true positives (>90%) in all the scenarios evaluated. As for false positives, Recuva performed better than the others, with approximately 1%.

Downloads

Download data is not yet available.

References

STANKOVIĆ, M.; KHAN, T. Digital forensics tool evaluation on deleted files. digital forensics and cyber crime. ICDF2C Springer, v. 508, 2022.

BLASKOVIĆ, A. K. et al. Cybercrime and intellectual property theft: An analysis of modern digital forensics. Proceedings of the Future Technologies Conference (FTC), Springer International Publishing, v. 2, 2023.

POVAR, D.; BHADRAN, V. K. Forensic data carving. In: BAGGILI, I. (Ed.). Digital Forensics and Cyber Crime. Berlin, Heidelberg: Springer Berlin Heidelberg, 2011. p. 137–148. ISBN 978-3-642-19513-6.

HANIS, F. M. et al. A language-independent approach to classification of textual file fragments: Case study of persian, english, and chinese languages. In: 2021 11th International Conference on Computer Engineering and Knowledge (ICCKE). [S.l.: s.n.], 2021. p. 254–259.

GLAYDYSHEV, P.; JAMES, J. I. Decision-theoretic file carving. Digital Investigation - Science Direct, v. 22, 2017.

WEI, Y.; ZHEN, N.; XU., M. An automatic carving method for rar file based on content and structure. Second International Conference on Information Technology and Computer Science, 2010.

LAURENSON, T. Performance analysis of file carving tools. IFIP Advances in Information and Communication Technology, Springer New York LLC, v. 405, p. 419 – 434, 2013.

SARI, S.; MOHAMAD, K. A review of graph theoretic and weightage techniques in file carving. Journal of Physics: Conference Series, Institute of Physics Publishing, v. 1529, 2020.

SILBERSCHATZ, A.; GALVIN, P. B.; GAGNE, G. Operating system concepts. 10. ed. [S.l.]: Wiley, 2018.

RAVI, A.; T., R. K.; MATHEW, A. R. A method for carving fragmented document and image files. International Conference on Advances in Human Machine Interaction, India, 2016.

TANG, Y. et al. Recovery of heavily fragmented jpeg files. Digital Investigation, Elsevier Ltd, v. 18, p. S108 – S117, 2016.

LAURENSON, T. Performance analysis of file carving tools. Security and Privacy Protection in Information Processing Systems. Springer, v. 405, 2013.

NURHAYATI; FIKRI, N. The analysis of file carving process using photorec and foremost. In: 2017 4th International Conference on Computer Applications and Information Processing Technology (CAIPT). [S.l.: s.n.], 2017. p. 1–6.

KARRESAND, M.; DYRKOLBOTN, G. O.; AXELSSON, S. An empirical study of the ntfs cluster allocation behavior over time. Forensic Science International: Digital Investigation, v. 33, 2020.

WU, T.; BREITINGER, S. O. F. Digital forensic tools: Recent advances and enhancing the status quo. Forensic Science International: Digital Investigation, v. 34, 2020.

UZUN, E.; SENCAR, H. T. Jpg scraper: An advanced carver for jpeg files. IEEE Transactions on Information Forensics and Security, v. 15, 2020.

HILGERT, J.; LAMBERTZ, M.; RYBALKA, R. S. M. Syntactical carving of pngs and automated generation of reproducible datasets. Digital Investigation, v. 29, 2019.

RAVI, A.; KUMAR, T. R.; MATHEW, A. R. A method for carving fragmented document and image files. In: 2016 International Conference on Advances in Human Machine Interaction (HMI). [S.l.: s.n.], 2016. p. 1–6.

PEREIRA, E. et al. Análise de métodos para o tratamento de arquivos falso-positivos a partir de ferramentas de recuperação de dados digitais: Uma revisão sistemática da literatura. p. 1–10, 2019.

PRODANOV, C. C.; FREITAS, E. C. D. Metodologia do trabalho científico: métodos e técnicas da pesquisa e do trabalho acadêmico-2ª Edição. [S.l.]: Editora Feevale, 2013.

ALI, K. M. Digital forensics best practices and managerial implications. In: 2012 Fourth International Conference on Computational Intelligence, Communication Systems and Networks. [S.l.: s.n.], 2012. p. 196–199.

SCHNEIDER, J.; EICHHORN, M.; FREILING, F. Ambiguous file system partitions. Forensic Science International: Digital Investigation, v. 42, 2022.

BIRMINGHAM, B.; FARRUGIA, R. A.; VELLA, M. Using thumbnail affinity for fragmentation point detection of jpeg files. IEEE EUROCON 2017 -17th International Conference on Smart Technologies, Ohrid, Macedonia, 2017.

PALMIERI, G.; ZARGARI, S. Using open source forensic carving tools on split dd and ewf files. IEEE International Conference on Internet of Things (iThings) and IEEE Green Computing and Communications (GreenCom) and IEEE Cyber, Physical and Social Computing (CPSCom) and IEEE Smart Data (SmartData), 2017.

LIMA, S. M. L. et al. Next-generation antivirus endowed with web-server sandbox applied to audit fileless attack. Springer Nature, 2022.