Title :
A Study on a Carving Method for Deleted NTFS Compressed Files
Author :
Yoo, Byeongyeong ; Park, Jungheum ; Bang, Jewan ; Lee, Sangjin
Author_Institution :
Center for Inf. Security Technol., Korea Univ., Seoul, South Korea
Abstract :
File carving is a method that recovers files at unallocated space without any file information and used to recover data and execute a digital forensic investigation. In general, the file carving recovers files using the inherent header and footer in files or the entire file size determined in the file header. NTFS supports a compression function for internal files itself. However, the NTFS compression function has not been considered in the file carving. Thus, most of file carving tools cannot recover NTFS compressed files. This study describes the limitation in the existing file carving tools for the NTFS compressed files and proposes a recovering method for deleted NTFS compressed files.
Keywords :
computer forensics; data compression; file organisation; NTFS compressed files; carving method; digital forensic investigation; file carving; file information; Clustering algorithms; Digital forensics; File systems; Indexes; Information security; Resource management; Space technology;
Conference_Titel :
Human-Centric Computing (HumanCom), 2010 3rd International Conference on
Conference_Location :
Cebu
Print_ISBN :
978-1-4244-7567-4
DOI :
10.1109/HUMANCOM.2010.5563317
