Title :
Fragment retention characteristics in slack space — Analysis and measurements
Author :
Holleboom, Thijs ; Garcia, Johan
Author_Institution :
Dept. of Comput. Sci., Karlstad Univ., Karlstad, Sweden
Abstract :
When files are deleted, their information is not removed from the storage media. This is a well known fact, and there exist numerous undelete utilities to recover newly deleted files. When deleted files have been partly overwritten, the data from the part of the file that remains in unallocated space can be readily extracted by file carving. Such carving is often performed in forensic investigations. Furthermore, as a consequence of file system implementation specifics, there additionally exist small remains of the previous files in the space at the end of new files. In this paper we focus on these small remains of previous files, or micro-fragments, that exist even after all the space allocated to the previous file has been reallocated to new files. We derive expressions for modeling the number of micro-fragments that can be expected to be found, and perform experiments to evaluate the analytical model. The obtained results indicate good correspondence between the analytical predictions and the measured results.
Keywords :
computer forensics; data handling; file carving; file system implementation specifics; forensic investigations; fragment retention characteristics; slack space; storage media; undelete utilities; Analytical models; Computer science; Data mining; Extraterrestrial measurements; File systems; Forensics; Information analysis; Operating systems; Performance evaluation;
Conference_Titel :
Security and Communication Networks (IWSCN), 2010 2nd International Workshop on
Conference_Location :
Karlstad
Print_ISBN :
978-1-4244-6938-3
Electronic_ISBN :
978-1-4244-6939-0
DOI :
10.1109/IWSCN.2010.5497996
