Title :
Forensics filesystem with cluster-level identifiers for efficient data recovery
Author :
Alhussein, M. ; Srinivasan, A. ; Wijesekera, Duminda
Author_Institution :
Dept. of Comput. Sci., George Mason Univ., Fairfax, VA, USA
Abstract :
Recovering deleted information from a hard disk has been a long standing problem. The computer forensics community has tackled information recovery through the development of file carving techniques. Two issues, however, still present significant challenges to their on-going efforts - 1) Prior knowledge of file types is required for building file carvers including file headers and footers, and 2) fragmentation prevents file carvers from successful recovery. In the research work that we present in this paper, we propose a forensics file system that embeds a special identifier in every cluster that is either currently allocated or was in the past. The identifier keeps track of every cluster mapping the clusters to a single file irrespective of the file status - existing or deleted. We modified an exFAT implementation on FUSE to implement our forensics file system. Finally, we have been able to verify via controlled experiments that our proposed file system successfully recovers all deleted files in our test environment.
Keywords :
digital forensics; file organisation; pattern clustering; FUSE; cluster mapping; cluster-level identifier; computer forensics; data recovery; exFAT; file allocation table; file carving technique; file footer; file header; file type knowledge; forensics file system; fragmentation; information recovery; Buffer storage; Forensics; Fuses; computer forensics; data recovery;
Conference_Titel :
Internet Technology And Secured Transactions, 2012 International Conference for
Conference_Location :
London
Print_ISBN :
978-1-4673-5325-0
