Detecting file fragmentation point using sequential hypothesis testing

Anandabrata Pal, Husrev T. Sencar, Nasir Memon

Research output: Contribution to journalArticle

Abstract

File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.

Original languageEnglish (US)
JournalDigital Investigation
Volume5
Issue numberSUPPL.
DOIs
StatePublished - Sep 2008

Fingerprint

hypothesis testing
fragmentation
Recovery
Digital devices
Information Storage and Retrieval
Testing
Metadata
Equipment and Supplies
testing procedure
assistance
performance

Keywords

  • Data recovery
  • DFRWS carving challenge
  • File carving
  • Forensics
  • Fragmentation, Sequential hypothesis testing

ASJC Scopus subject areas

  • Computer Science (miscellaneous)
  • Engineering (miscellaneous)
  • Law

Cite this

Detecting file fragmentation point using sequential hypothesis testing. / Pal, Anandabrata; Sencar, Husrev T.; Memon, Nasir.

In: Digital Investigation, Vol. 5, No. SUPPL., 09.2008.

Research output: Contribution to journalArticle

Pal, Anandabrata ; Sencar, Husrev T. ; Memon, Nasir. / Detecting file fragmentation point using sequential hypothesis testing. In: Digital Investigation. 2008 ; Vol. 5, No. SUPPL.
@article{36af6daa15064527ad465a3fb16549aa,
title = "Detecting file fragmentation point using sequential hypothesis testing",
abstract = "File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.",
keywords = "Data recovery, DFRWS carving challenge, File carving, Forensics, Fragmentation, Sequential hypothesis testing",
author = "Anandabrata Pal and Sencar, {Husrev T.} and Nasir Memon",
year = "2008",
month = "9",
doi = "10.1016/j.diin.2008.05.015",
language = "English (US)",
volume = "5",
journal = "Digital Investigation",
issn = "1742-2876",
publisher = "Elsevier Limited",
number = "SUPPL.",

}

TY - JOUR

T1 - Detecting file fragmentation point using sequential hypothesis testing

AU - Pal, Anandabrata

AU - Sencar, Husrev T.

AU - Memon, Nasir

PY - 2008/9

Y1 - 2008/9

N2 - File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.

AB - File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.

KW - Data recovery

KW - DFRWS carving challenge

KW - File carving

KW - Forensics

KW - Fragmentation, Sequential hypothesis testing

UR - http://www.scopus.com/inward/record.url?scp=48749129422&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=48749129422&partnerID=8YFLogxK

U2 - 10.1016/j.diin.2008.05.015

DO - 10.1016/j.diin.2008.05.015

M3 - Article

AN - SCOPUS:48749129422

VL - 5

JO - Digital Investigation

JF - Digital Investigation

SN - 1742-2876

IS - SUPPL.

ER -