Detecting file fragmentation point using sequential hypothesis testing

Anandabrata Pal, Husrev T. Sencar, Nasir Memon

    Research output: Contribution to journalArticle

    Abstract

    File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.

    Original languageEnglish (US)
    JournalDigital Investigation
    Volume5
    Issue numberSUPPL.
    DOIs
    StatePublished - Sep 2008

    Fingerprint

    hypothesis testing
    fragmentation
    Recovery
    Digital devices
    Information Storage and Retrieval
    Testing
    Metadata
    Equipment and Supplies
    testing procedure
    assistance
    performance

    Keywords

    • Data recovery
    • DFRWS carving challenge
    • File carving
    • Forensics
    • Fragmentation, Sequential hypothesis testing

    ASJC Scopus subject areas

    • Computer Science (miscellaneous)
    • Engineering (miscellaneous)
    • Law

    Cite this

    Detecting file fragmentation point using sequential hypothesis testing. / Pal, Anandabrata; Sencar, Husrev T.; Memon, Nasir.

    In: Digital Investigation, Vol. 5, No. SUPPL., 09.2008.

    Research output: Contribution to journalArticle

    Pal, Anandabrata ; Sencar, Husrev T. ; Memon, Nasir. / Detecting file fragmentation point using sequential hypothesis testing. In: Digital Investigation. 2008 ; Vol. 5, No. SUPPL.
    @article{36af6daa15064527ad465a3fb16549aa,
    title = "Detecting file fragmentation point using sequential hypothesis testing",
    abstract = "File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.",
    keywords = "Data recovery, DFRWS carving challenge, File carving, Forensics, Fragmentation, Sequential hypothesis testing",
    author = "Anandabrata Pal and Sencar, {Husrev T.} and Nasir Memon",
    year = "2008",
    month = "9",
    doi = "10.1016/j.diin.2008.05.015",
    language = "English (US)",
    volume = "5",
    journal = "Digital Investigation",
    issn = "1742-2876",
    publisher = "Elsevier Limited",
    number = "SUPPL.",

    }

    TY - JOUR

    T1 - Detecting file fragmentation point using sequential hypothesis testing

    AU - Pal, Anandabrata

    AU - Sencar, Husrev T.

    AU - Memon, Nasir

    PY - 2008/9

    Y1 - 2008/9

    N2 - File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.

    AB - File carving is a technique whereby data files are extracted from a digital device without the assistance of file tables or other disk meta-data. One of the primary challenges in file carving can be found in attempting to recover files that are fragmented. In this paper, we show how detecting the point of fragmentation of a file can benefit fragmented file recovery. We then present a sequential hypothesis testing procedure to identify the fragmentation point of a file by sequentially comparing adjacent pairs of blocks from the starting block of a file until the fragmentation point is reached. By utilizing serial analysis we are able to minimize the errors in detecting the fragmentation points. The performance results obtained from the fragmented test-sets of DFRWS 2006 and 2007 show that the method can be effectively used in recovery of fragmented files.

    KW - Data recovery

    KW - DFRWS carving challenge

    KW - File carving

    KW - Forensics

    KW - Fragmentation, Sequential hypothesis testing

    UR - http://www.scopus.com/inward/record.url?scp=48749129422&partnerID=8YFLogxK

    UR - http://www.scopus.com/inward/citedby.url?scp=48749129422&partnerID=8YFLogxK

    U2 - 10.1016/j.diin.2008.05.015

    DO - 10.1016/j.diin.2008.05.015

    M3 - Article

    VL - 5

    JO - Digital Investigation

    JF - Digital Investigation

    SN - 1742-2876

    IS - SUPPL.

    ER -