Title :
An Automatic Carving Method for RAR File Based on Content and Structure
Author :
Wei, Yingjie ; Zheng, Ning ; Xu, Ming
Author_Institution :
Comput. & Software Inst., Hangzhou Dianzi Univ., Hangzhou, China
Abstract :
File carving is a digital forensic technique. It aims to reconstitute a file from unstructured data sources with no knowledge of the file system. This paper presents an automatically carving method for RAR files. Since RAR is one of the most popular archive formats, and it is widely used on the digital devices to package data for transport or storage. It is important for forensic investigation to obtain the information of RAR files. We apply mapping function to locate the header and footer of an archived file, utilize the distance between the header and footer of an archived file to determine whether the archived file is fragmented, and apply enumeration to reassemble bi-fragmentation of an archived file. Finally we validate the integrity of archived file and RAR file, repairing RAR files which miss header or footer. Based on artificial data and real world data, experiments show our method can automatically carve continuous and fragmented RAR files. Moreover, the comparative experiments demonstrate that this method is better than other´s in accurateness and effectiveness.
Keywords :
computer forensics; data compression; data structures; RAR file; archive formats; automatic carving method; digital forensic technique; file carving; unstructured data sources; Accuracy; Computers; Data mining; Equations; File systems; Mathematical model; archived file; bi-fragmentation; file carving; mapping function; validation;
Conference_Titel :
Information Technology and Computer Science (ITCS), 2010 Second International Conference on
Conference_Location :
Kiev
Print_ISBN :
978-1-4244-7293-2
Electronic_ISBN :
978-1-4244-7294-9
DOI :
10.1109/ITCS.2010.23
