Detecting file fragmentation point using sequential hypothesis testing

Anandabrata Pal, Husrev T. Sencar, Nasir Memon

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.

Original languageEnglish (US)
Title of host publicationDFRWS 2008 Annual Conference
StatePublished - 2008
Event8th Annual Digital Forensic Research Workshop, DFRWS 2008 - Baltimore, MD, United States
Duration: Aug 11 2008Aug 13 2008

Other

Other8th Annual Digital Forensic Research Workshop, DFRWS 2008
CountryUnited States
CityBaltimore, MD
Period8/11/088/13/08

Fingerprint

Recovery
Digital devices
Testing
Metadata

Keywords

  • Data recovery
  • DFRWS carving challenge
  • File carving
  • Forensics
  • Fragmentation
  • Hypothesis testing
  • Sequential

ASJC Scopus subject areas

  • Information Systems

Cite this

Pal, A., Sencar, H. T., & Memon, N. (2008). Detecting file fragmentation point using sequential hypothesis testing. In DFRWS 2008 Annual Conference

Detecting file fragmentation point using sequential hypothesis testing. / Pal, Anandabrata; Sencar, Husrev T.; Memon, Nasir.

DFRWS 2008 Annual Conference. 2008.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Pal, A, Sencar, HT & Memon, N 2008, Detecting file fragmentation point using sequential hypothesis testing. in DFRWS 2008 Annual Conference. 8th Annual Digital Forensic Research Workshop, DFRWS 2008, Baltimore, MD, United States, 8/11/08.
Pal A, Sencar HT, Memon N. Detecting file fragmentation point using sequential hypothesis testing. In DFRWS 2008 Annual Conference. 2008
Pal, Anandabrata ; Sencar, Husrev T. ; Memon, Nasir. / Detecting file fragmentation point using sequential hypothesis testing. DFRWS 2008 Annual Conference. 2008.
@inproceedings{e51022271fed4b9c8e8009cdcd107d88,
title = "Detecting file fragmentation point using sequential hypothesis testing",
abstract = "File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.",
keywords = "Data recovery, DFRWS carving challenge, File carving, Forensics, Fragmentation, Hypothesis testing, Sequential",
author = "Anandabrata Pal and Sencar, {Husrev T.} and Nasir Memon",
year = "2008",
language = "English (US)",
booktitle = "DFRWS 2008 Annual Conference",

}

TY - GEN

T1 - Detecting file fragmentation point using sequential hypothesis testing

AU - Pal, Anandabrata

AU - Sencar, Husrev T.

AU - Memon, Nasir

PY - 2008

Y1 - 2008

N2 - File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.

AB - File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.

KW - Data recovery

KW - DFRWS carving challenge

KW - File carving

KW - Forensics

KW - Fragmentation

KW - Hypothesis testing

KW - Sequential

UR - http://www.scopus.com/inward/record.url?scp=84868515867&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84868515867&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:84868515867

BT - DFRWS 2008 Annual Conference

ER -