Detecting file fragmentation point using sequential hypothesis testing

Anandabrata Pal, Husrev T. Sencar, Nasir Memon

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Abstract

    File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.

    Original languageEnglish (US)
    Title of host publicationDFRWS 2008 Annual Conference
    StatePublished - 2008
    Event8th Annual Digital Forensic Research Workshop, DFRWS 2008 - Baltimore, MD, United States
    Duration: Aug 11 2008Aug 13 2008

    Other

    Other8th Annual Digital Forensic Research Workshop, DFRWS 2008
    CountryUnited States
    CityBaltimore, MD
    Period8/11/088/13/08

    Fingerprint

    Recovery
    Digital devices
    Testing
    Metadata

    Keywords

    • Data recovery
    • DFRWS carving challenge
    • File carving
    • Forensics
    • Fragmentation
    • Hypothesis testing
    • Sequential

    ASJC Scopus subject areas

    • Information Systems

    Cite this

    Pal, A., Sencar, H. T., & Memon, N. (2008). Detecting file fragmentation point using sequential hypothesis testing. In DFRWS 2008 Annual Conference

    Detecting file fragmentation point using sequential hypothesis testing. / Pal, Anandabrata; Sencar, Husrev T.; Memon, Nasir.

    DFRWS 2008 Annual Conference. 2008.

    Research output: Chapter in Book/Report/Conference proceedingConference contribution

    Pal, A, Sencar, HT & Memon, N 2008, Detecting file fragmentation point using sequential hypothesis testing. in DFRWS 2008 Annual Conference. 8th Annual Digital Forensic Research Workshop, DFRWS 2008, Baltimore, MD, United States, 8/11/08.
    Pal A, Sencar HT, Memon N. Detecting file fragmentation point using sequential hypothesis testing. In DFRWS 2008 Annual Conference. 2008
    Pal, Anandabrata ; Sencar, Husrev T. ; Memon, Nasir. / Detecting file fragmentation point using sequential hypothesis testing. DFRWS 2008 Annual Conference. 2008.
    @inproceedings{e51022271fed4b9c8e8009cdcd107d88,
    title = "Detecting file fragmentation point using sequential hypothesis testing",
    abstract = "File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.",
    keywords = "Data recovery, DFRWS carving challenge, File carving, Forensics, Fragmentation, Hypothesis testing, Sequential",
    author = "Anandabrata Pal and Sencar, {Husrev T.} and Nasir Memon",
    year = "2008",
    language = "English (US)",
    booktitle = "DFRWS 2008 Annual Conference",

    }

    TY - GEN

    T1 - Detecting file fragmentation point using sequential hypothesis testing

    AU - Pal, Anandabrata

    AU - Sencar, Husrev T.

    AU - Memon, Nasir

    PY - 2008

    Y1 - 2008

    N2 - File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.

    AB - File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.

    KW - Data recovery

    KW - DFRWS carving challenge

    KW - File carving

    KW - Forensics

    KW - Fragmentation

    KW - Hypothesis testing

    KW - Sequential

    UR - http://www.scopus.com/inward/record.url?scp=84868515867&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=84868515867&partnerID=8YFLogxK

    M3 - Conference contribution

    BT - DFRWS 2008 Annual Conference

    ER -