Skip to main content
SpringerLink
Log in
Book cover

International Conference on Advances in Cyber Security

ACeS 2021: Advances in Cyber Security pp 277–287Cite as

Analysis of File Carving Approaches: A Literature Review

Part of the Communications in Computer and Information Science book series (CCIS,volume 1487)

Abstract

Digital forensics is a crucial process of identifying, conserving, retrieving, evaluating, and documenting digital evidence obtained on computers and other electronic devices. Data restoration and analysis on file systems is one of digital forensic science’s most fundamental practices. There is a lot of research being done in developing file carving approaches and different researches focused on different aspects. With the increasing numbers of literature that are covering this research area, there is a need to review this literature for further reference. A review is carried out reviewing different works of literature covering various aspects of carving approaches from multiple digital data sources including IEEE Xplore, Google Scholar, Web of Science, etc. This analysis is done to consider several perspectives which are the current research direction of the file carving approach, the classification for the file carving approaches, and also the challenges are to be highlighted. Based on the analysis, we are able to state the current state of the art of file carving. We classify the carving approach into five classifications which are general carving, carving by specific file type, carving by structure, carving by the file system, and carving by fragmentation. We are also able to highlight several of the challenges for file carving mentioned in the past research. This study will serve as a reference for scientists to evaluate different strategies and obstacles for carving so that they may choose the suitable carving approaches for their study and also future developments.

Keywords

  • Digital forensic
  • File carving
  • File carving approaches’ analysis
  • Challenges in carving

This is a preview of subscription content, access via your institution.

Chapter
EUR   29.95
Price includes VAT (Malaysia)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
EUR   93.08
Price includes VAT (Malaysia)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
EUR   109.99
Price excludes VAT (Malaysia)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions
Fig. 1.

References

  1. Afrizal, A., et al.: Analysis and implementation of signature based method and structure file based method for file carving. Indones. J. Comput. 6, 13–22 (2021). https://doi.org/10.34818/indojc.2021.6.1.457

  2. Alherbawi, N., et al.: A survey on data carving in digital forensic. Asian J. Inf. Technol. 15(24), 5137–5144 (2016)

    Google Scholar 

  3. Ali, R.R., Mohamad, K.M.: RX_myKarve carving framework for reassembling complex fragmentations of JPEG images. J. King Saud Univ. Comput. Inf. Sci. 33(1), 21–32 (2021). https://doi.org/10.1016/j.jksuci.2018.12.007

  4. Alshammari, E., et al.: A new technique for file carving on hadoop ecosystem. In: Proceedings of 2017 International Conference on New Trends Computing Sciences, ICTCS 2017, January 2018, pp. 72–77 (2017). https://doi.org/10.1109/ICTCS.2017.16

  5. Bayne, E.: Accelerating digital forensic searching through GPU parallel processing techniques. Abertay University (2017)

    Google Scholar 

  6. Bayne, E., et al.: OpenForensics: a digital forensics GPU pattern matching approach for the 21st century. In: DFRWS 2018 EU – Proceedings of 5th Annual DFRWS Europe, vol. 24, pp. S29–S37 (2018). https://doi.org/10.1016/j.diin.2018.01.005

  7. Beverly, R., et al.: Forensic carving of network packets and associated data structures. Digit. Investig. 8(Suppl.), S78–S89 (2011). https://doi.org/10.1016/j.diin.2011.05.010

  8. Bhat, W.A., Wani, M.A.: Forensic analysis of B-tree file system (Btrfs). Digit. Investig. 27, 57–70 (2018). https://doi.org/10.1016/j.diin.2018.09.001

    CrossRef  Google Scholar 

  9. Chen, Q., et al.: File fragment classification using grayscale image conversion and deep learning in digital forensics. In: Proceedings of 2018 IEEE Symposium on Security and Privacy Workshops, SPW 2018, pp. 140–147 (2018). https://doi.org/10.1109/SPW.2018.00029

  10. Darnowski, F., Chojnaki, A.: Selected methods of file carving and analysis of digital storage media in computer forensics. Teleinform. Rev. 1(2), 25–40 (2015)

    Google Scholar 

  11. Durmus, E., et al.: Image carving with missing headers and missing fragments. In: 2017 IEEE International Workshop on Information Forensics and Security, WIFS 2017, January 2018, pp. 1–6 (2017). https://doi.org/10.1109/WIFS.2017.8267665

  12. Ezequiel, R., Haro, J.: Forensic tool to study and carve virtual machine hard disk file (2019)

    Google Scholar 

  13. Garfinkel, S.L., McCarrin, M.: Hash-based carving: searching media for complete files and file fragments with sector hashing and hashdb. In: Proceedings of Digital Forensic Research Conference, DFRWS 2015, USA, vol. 14, pp. S95–S105 (2015). https://doi.org/10.1016/j.diin.2015.05.001

  14. Hand, S., et al.: Bin-carver: automatic recovery of binary executable files. In: Proceedings of Digital Forensic Research Conference, DFRWS 2012, USA, pp. S108–S117 (2012). https://doi.org/10.1016/j.diin.2012.05.014

  15. Heo, H.S., et al.: Automated recovery of damaged audio files using deep neural networks. Digit. Investig. 30, 117–126 (2019). https://doi.org/10.1016/j.diin.2019.07.007

    CrossRef  Google Scholar 

  16. Hiester, L.: File fragment classification using neural networks with lossless representations networks with lossless representations. Undergraduate Honors Theses, pp. 1–32 (2018)

    Google Scholar 

  17. Kadir, N.F.B.A.: Statistical byte frequency analysis for identifying JPEG. Universiti Teknologi Malaysia (2015)

    Google Scholar 

  18. Karresand, M., et al.: Creating a map of user data in NTFS to improve file carving. IFIP Adv. Inf. Commun. Technol. 569, 133–158 (2019). https://doi.org/10.1007/978-3-030-28752-8_8

  19. Laurenson, T.: Performance analysis of file carving tools. In: Janczewski, L.J., Wolfe, H.B., Shenoi, S. (eds.) SEC 2013. IAICT, vol. 405, pp. 419–433. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39218-4_31

    CrossRef  Google Scholar 

  20. Liebler, L., et al.: On efficiency of artifact lookup strategies in digital forensics. Digit. Investig. (2019). https://doi.org/10.1016/j.diin.2019.01.020

    CrossRef  Google Scholar 

  21. Masoumi, M., Keshavarz, A., Fotohi, R.: File fragment recognition based on content and statistical features. Multimedia Tools Appl. 80(12), 18859–18874 (2021). https://doi.org/10.1007/s11042-021-10681-x

    CrossRef  Google Scholar 

  22. van der Meer, V., et al.: A Contemporary Investigation of NTFS File Fragmentation. Radboud University, Nijmegen (2021)

    Google Scholar 

  23. Minnaard, W.: The Linux FAT32 allocator and file creation order reconstruction. Digit. Investig. 11(3), 224–233 (2014). https://doi.org/10.1016/j.diin.2014.06.008

    CrossRef  Google Scholar 

  24. Mittal, G., et al.: FiFTy: large-scale file fragment type identification using neural networks 16(Table I), 28–41 (2019). arXiv

    Google Scholar 

  25. Prade, P., et al.: Forensic analysis of the resilient file system (ReFS) version 3.4. Forensic Sci. Int. Digit. Investig. 32, 300915 (2020). https://doi.org/10.1016/j.fsidi.2020.300915

  26. Ravi, A., et al.: A method for carving fragmented document and image files. In: 2016 International Conference on Advances in Human Machine Interaction, HMI 2016, pp. 43–47 (2016). https://doi.org/10.1109/HMI.2016.7449170

  27. Romano, L.M.P.C.: File carving in practice. Universidade do Minho (2015)

    Google Scholar 

  28. Sari, S.A., Mohamad, K.M.: A review of graph theoretic and weightage techniques in file carving. J. Phys. Conf. Ser. 1529, 5 (2020). https://doi.org/10.1088/1742-6596/1529/5/052011

    CrossRef  Google Scholar 

  29. Sester, J., et al.: A comparative study of support vector machine and neural networks for file type identification using N-gram analysis. Forensic Sci. Int. Digit. Investig. 36, 301121 (2021). https://doi.org/10.1016/j.fsidi.2021.301121

    CrossRef  Google Scholar 

  30. Shi, K., et al.: A novel file carving algorithm for National Marine Electronics Association (NMEA) logs in GPS forensics. Digit. Investig. 23, 11–21 (2017). https://doi.org/10.1016/j.diin.2017.08.004

    CrossRef  Google Scholar 

  31. Uzun, E., Sencar, H.T.: Carving orphaned JPEG file fragments. IEEE Trans. Inf. Forensics Secur. 10(8), 1549–1563 (2015). https://doi.org/10.1109/TIFS.2015.2416685

    CrossRef  Google Scholar 

  32. Vulinovic, K., et al.: Neural networks for file fragment classification. In: Proceedings of 2019 42nd International Convention on Information and Communication Technology, Electronics and Microelectronics, MIPRO 2019, pp. 1194–1198 (2019). https://doi.org/10.23919/MIPRO.2019.8756878

  33. Yoo, B., et al.: A study on multimedia file carving method. Multimed. Tools Appl. 61(1), 243–261 (2012). https://doi.org/10.1007/s11042-010-0704-y

    CrossRef  Google Scholar 

  34. Zha, X., Sahni, S.: Fast in-place file carving for digital forensics. In: Lai, X., Gu, D., Jin, B., Wang, Y., Li, H. (eds.) e-Forensics 2010. LNICSSITE, vol. 56, pp. 141–158. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23602-0_13

    CrossRef  Google Scholar 

  35. Lee, H., Lee, H.-W.: Block based smart carving system for forgery analysis and fragmented file identification. J. Internet Comput. Serv. 2020(3), 93–102 (2020)

    Google Scholar 

Download references

Acknowledgment

This research work is supported by an RDU grant of Universiti Malaysia Pahang, ‘Authentication Watermarking in Digital Text Document Images Using Unique Pattern Numbering and Mapping’ (RDU190366).

Author information

Authors and Affiliations

  1. Faculty of Computing, College of Computing and Applied Science, Universiti Malaysia Pahang, 26600, Pekan, Pahang, Malaysia

    Nor Ika Shahirah Ramli & Syifak Izhar Hisham

  2. College of Computer Science, King Khalid University, Abha, Saudi Arabia

    Gran Badshah

Authors
  1. Nor Ika Shahirah Ramli
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Syifak Izhar Hisham
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Gran Badshah
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Syifak Izhar Hisham .

Editor information

Editors and Affiliations

  1. Hodeidah University, Hodeidah, Yemen

    Prof. Nibras Abdullah

  2. Universiti Sains Malaysia, Penang, Malaysia

    Dr. Selvakumar Manickam

  3. Universiti Sains Malaysia, Penang, Malaysia

    Dr. Mohammed Anbar

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Ramli, N.I.S., Hisham, S.I., Badshah, G. (2021). Analysis of File Carving Approaches: A Literature Review. In: Abdullah, N., Manickam, S., Anbar, M. (eds) Advances in Cyber Security. ACeS 2021. Communications in Computer and Information Science, vol 1487. Springer, Singapore. https://doi.org/10.1007/978-981-16-8059-5_16

Download citation

  • DOI: https://doi.org/10.1007/978-981-16-8059-5_16

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-16-8058-8

  • Online ISBN: 978-981-16-8059-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Search

Navigation