Title :
Retention of micro-fragments in cluster slack - A first model
Author :
Garcia, Johan ; Holleboom, Thijs
Author_Institution :
Karlstad Univ., Karlstad, Sweden
Abstract :
In current forensic practice it is regularly needed to determine whether some set of files have been present on a storage medium or not. File carving techniques are readily used as a tool in such examinations. However, if all clusters holding the files searched for have been overwritten, remains of the previous files only resides in the cluster slack. In this work we elaborate on the factors that influence how many such cluster slack ¿micro-fragments¿ that can be expected to be detected. We identify a set of factors that influence the micro-fragment retention characteristics. One such characteristic is the file size distribution of the files overwriting the original files. We derive analytical expressions for three different file size distributions, which allows us to examine the retention characteristics even if the overwriting files come from different sources.
Keywords :
file organisation; cluster slack; file carving techniques; file size distribution; microfragments retention; retention characteristics; Analytical models; Data structures; File systems; Forensics; Hard disks; Internet; APP-IDEN; FOR-DMIN;
Conference_Titel :
Information Forensics and Security, 2009. WIFS 2009. First IEEE International Workshop on
Conference_Location :
London
Print_ISBN :
978-1-4244-5279-8
Electronic_ISBN :
978-1-4244-5280-4
DOI :
10.1109/WIFS.2009.5386487
