Forensic Carving from Unallocated Space

Computer Forensics investigations have become more and more common while investigating IT-related issues. From experience, hard disks, USB thumb, memory sticks contains information that might be useful. Computer Forensics is regularly conducted by Police, Customs, Tax investigators but also within private companies and organizations. However, there are areas within the storage device that are not part of the organized structure that a file system gives. The reason for that might be that the information has been erased by intention, a virus destroyed the file system and so on. Areas without this structure are referred to as Unallocated Space and there are issues to locate specific file information within Unallocated Space. Today, two methods are used. The first is to use specific keywords to locate a specific file. The other method is to search for file signatures, such as file header or file footer. However, these methods are not especially successful. During 2006-2007 the organization DFRWS arranged two challenges to try to overcome these shortcomings. The results from the challenges gave interesting aspects and might be possible to work further with. Most of the specific forensic software available do not incorporate good methods for file extraction and basically they rely on the two methods mentioned above.

Author: Jim Keyzer

Source: Blekinge Institute of Technology

Reference URL 1: Visit Now

Leave a Comment