RADIOELECTRONIC AND COMPUTER SYSTEMS

File carving techniques are important in the field of digital forensics. At the same time, the rapid growth in the amount and types of data requires the development of file carving methods in terms of capabilities, accuracy, and computational efficiency. However, most of the methods are developed to solve specific tasks and are based on a certain set of assumptions and a priori knowledge about the files to be recovered. There is a lack of research that systematizes methods and structures approaches to identify gaps and determine perspective directions for development, considering the latest advances in information technology and artificial intelligence. The subject matter of this article is the structure, factors, efficiency criteria, methods, and tools of file carving, as well as the current state and tendencies of development of file carving methods. The goal of this study is to systematize knowledge about advanced file carving methods and identify perspective directions for their development. The tasks to be solved are as follows: to identify the main stages of file carving and analyze approaches to their implementation; to build an ontological scheme of file carving; and to identify perspective directions for the development of carving methods. The methods used were literature review, systematization, and summarization. The obtained results are as follows. An ontological scheme for the file carving concept is constructed. The scheme includes the principles, properties, phases, techniques, evaluation criteria, tools used, and factors influencing file carving. The features, limitations, and fields of application of the data recovery methods are provided. It was established that the most widespread approach to file reconstruction is still a manually detailed analysis of the internal structure of files and/or their contents, identifying specific patterns that allow reassembling the sequence of data fragments in the correct order. However, most of the methods do not provide one hundred percent guaranteed results. This article analyzes the current state and prospects of using artificial intelligence methods in the field of digital forensics, particularly for identifying data blocks, clustering, and reconstructing files, as well as restoring the contents of media files with damaged or lost headers. The necessity of having priori information about the file structure or content for successfully carving fragmented data is determined. Conclusions. The scientific novelty of the obtained results is as follows: for the first time, advanced file carving methods are systematized and analyzed by directions of development and the perspectives of using artificial intelligence for identifying data blocks, clustering, and file content restoration; for the first time, an ontological scheme of file carving is constructed, which can be used as a roadmap for developing new advanced systems in the digital forensics field.

digital forensics; metadata; fragmentation; fragmented file; data recovery; file carving; file fragment identification; file reconstruction; file restoring; artificial intelligence

Carrier, B. File System Forensic analysis. Addison-Wesley Professional, 2005. 600 p.

Bonetti, G., Viglione, M., Frossi, A., Maggi, F., & Zanero, S. Black-box forensic and antiforensic characteristics of solid-state drives. Journal of Computer Virology and Hacking Techniques, 2014, vol. 10, no. 4, pp. 255–271. DOI: 10.1007/s11416-014-0221-z.

Ligh, M. H., Case, A., Levy, J., & Walters, A. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory 1st Edition. John Wiley & Sons, 2014. 912 p.

Ali, N. U. A., Iqbal, W., & Afzal, H. Carving of the OOXML document from volatile memory using unsupervised learning techniques. Journal of Information Security and Applications, 2022, vol. 65, article no. 103096. DOI: 10.1016/j.jisa.2021.103096.

Darnowski, F., & Chojnaki, A. Selected methods of file carving and analysis of digital storage media in computer forensics. Teleinformatics Review, 2015, vol. 1-2, pp. 25–40. Available at: https://yadda.icm.edu.pl/ baztech/element/bwmeta1.element.baztech-10af3f4e-db53-4ae5-9b7f-b7e850dd08d0/c/Darnowski_F_Chojnacki_A.pdf (accessed 19.09.2023).

Pahade, R. K., Singh, B., & Singh, U. A Survey on Multimedia File Carving. International Journal of Computer Science & Engineering Survey (IJCSES), 2015, vol. 6, no. 6, pp. 27–46. DOI: 10.5121/ijcses.2015.6603.

Alrobieh, Z. S., & Raqpan, A. M. A. A. File Carving Survey on Techniques, Tools and Areas of Use. Transactions on Networks and Communications, 2020, vol. 8, no. 1, pp. 16–26. DOI: 10.14738/tnc.81.7636.

Al-Jawry, Rabei., Mohamad, Kamaruddin., Jamel, Sapiee., & Ahmad Khalid, Shamsul Kamal. A review of digital forensics methods for JPEG file carving. Journal of Theoretical and Applied Information Technology, 2018, vol. 96, no. 17, pp. 5841-5856. Available at: http://www.jatit.org/volumes/Vol96No17/17Vol96No17.pdf (accessed 19.09.2023)

Rintu Aleyamma Thomas., & Mathai, M. A Survey on File Carving Process Using Foremost and Scalpel. National Conference on Emerging Computer Applications (NCECA2021), Kerala, 2021, vol. 3, no. 1, pp. 70-72. DOI: 10.5281/ZENODO.5091663.

Ali, N. U. A., Iqbal, W., & Shafqat, N. Analysis of Windows OS’s Fragmented File Carving Techniques: A Systematic Literature Review. 16th International Conference on Information Technology-New Generations (ITNG 2019). Springer International Publishing, 2019, pp. 63–67. DOI: 10.1007/978-3-030-14070-0_10.

Sari, S. A., & Mohamad, K. M. A Review of Graph Theoretic and Weightage Techniques in File Carving. Journal of Physics: Conference Series. IOP Publishing, 2020, vol. 1529, no. 5. DOI: 10.1088/1742-6596/1529/5/052011.

Ramli, N. I. S., Hisham, S. I., & Razak, M. F. A. Survey of File Carving Techniques. Innovative Systems for Intelligent Health Informatics (IRICT 2020). Lecture Notes on Data Engineering and Communications Technologies, Springer, 2021, vol 72, pp. 815–825. DOI: 10.1007/978-3-030-70713-2_74.

Alherbawi, N., Shukur, Z., & Sulaiman, R. A Survey on Data Carving in Digital Forensic. Asian Journal of Information Technology, 2016, vol. 15, no. 24, pp. 5137-5144. Available at: http://docsdrive.com/pdfs/medwelljournals/ajit/2016/5137-5144.pdf (accessed 19.09.2023).

Kävrestad, J. Analyzing Data and Writing Reports. Fundamentals of Digital Forensics. Springer International Publishing, 2020, pp. 85–98. DOI: 10.1007/978-3-030-38954-3_10.

Lin, X. File Carving. Introductory Computer Forensics. Springer International Publishing, 2018, pp. 211–233. DOI: 10.1007/978-3-030-00581-8_9.

Garfinkel, S. L. Carving contiguous and fragmented files with fast object validation. Digital Investigation, 2007, vol. 4, pp. 2–12. DOI:10.1016/j.diin.2007.06.017.

Dubettier, A., Gernot, T., Giguet, E., & Rosenberger, C. File type identification tools for digital investigations. Forensic Science International: Digital Investigation, 2023, vol. 46, article no. 301574. DOI: 10.1016/j.fsidi.2023.301574.

Alghafli, K., Jones, A., & Martin, T. Investigating and measuring capabilities of the forensics file carving techniques. Future Information Technology. Lecture Notes in Electrical Engineering, Springer, 2014, vol 276, pp. 329–336. DOI:10.1007/978-3-642-40861-8_47.

Kloet, S. J. J. Measuring and Improving the Quality of File Carving Methods. MSc thesis, Eindhoven University of Technology, Department of Mathematics and Computer Science, The Netherlands, 2007. 111 p. Available at: https://research.tue.nl/files/46916835/ 635640 -1.pdf (accessed 25.06.2023)

Laurenson, T. Performance analysis of file carving tools. IFIP Advances in Information and Communication Technology. Security and Privacy Protection in Information Processing Systems, 2013, vol. 405, pp. 419–433. DOI: 10.1007/978-3-642-39218-4_31.

Zanero, S. File block classification by Support Vector Machines. 2011 Sixth International Conference on Availability, Reliability and Security, Vienna, Austria, 2011, pp. 307-312. DOI: 10.1109/ARES.2011.52.

Fitzgerald, S., Mathews, G., Morris, C., & Zhulyn, O. Using NLP techniques for file fragment classification. Digital Investigation, 2012, vol. 9, pp.S44–S49. DOI: 10.1016/j.diin.2012.05.008.

Beebe, N. L., Maddox, L. A., Liu, L., & Sun, M. Sceadan: Using concatenated N-gram vectors for improved file and data type classification. IEEE Transactions on Information Forensics and Security, 2013, vol. 8, no. 9, pp. 1519-1530. DOI: 10.1109/TIFS.2013.2274728.

Pan, J., Liu, L., Sun, G., & Tang, Y. A method to identify the AVI-type blocks based on their four-character codes and C4.5 algorithm. 2014 International Conference on Behavioral, Economic, and Socio-Cultural Computing (BESC2014), Shanghai, China, 2014, pp. 1-7. DOI: 10.1109/BESC.2014.7059521.

Wang, F., Quach, T.-T., Wheeler, J., Aimone, J. B., & James, C. D. Sparse Coding for N-Gram Feature Extraction and Training for File Fragment Classification. IEEE Transactions on Information Forensics and Security, 2018, vol. 13, no. 10, pp. 2553-2562. DOI: 10.1109/TIFS.2018.2823697.

Karampidis, K., Kavallieratou, E., & Papadourakis, G. Comparison of Classification Algorithms for File Type Detection A Digital Forensics Perspective. POLIBITS, 2017, vol. 56, pp. 15-20. Available at: https://api.semanticscholar.org/CorpusID:51882719 (accessed 25.06.2023).

Al-Sadi, A., Yahya, M. B., & Almulhem, A. Identification of image fragments for file carving. World Congress on Internet Security (WorldCIS-2013), London, UK, 2013, pp. 151-155. DOI: 10.1109/WorldCIS.2013.6751037.

Bhatt, M., Mishra, A., Kabir, M. W. U., Blake-Gatto, S. E., Rajendra, R., Hoque, M. T., & Ahmed, I. Hierarchy-Based File Fragment Classification. Machine Learning and Knowledge Extraction, 2020, vol. 2, no. 3, pp. 216-232. DOI: 10.3390/make2030012.

Sportiello, L., & Zanero, S. Context-based file block classification. IFIP Advances in Information and Communication Technology, 2012, vol 383, pp. 67-82. DOI: 10.1007/978-3-642-33962-2_5.

Mittal, G., Korus, P., & Memon, N. FiFTy: Large-Scale File Fragment Type Identification Using Convolutional Neural Networks. IEEE Transactions on Information Forensics and Security, 2021, vol. 16, pp. 28–41. DOI: 10.1109/TIFS.2020.3004266.

Sester, J., Hayes, D., Scanlon, M., & Le-Khac, N. A. A comparative study of support vector machine and neural networks for file type identification using n-gram analysis. Forensic Science International: Digital Investigation, 2021, vol. 36, article no. 301121. DOI: 10.1016/j.fsidi.2021.301121.

Chen, Q., Liao, Q., Jiang, Z. L., Fang, J., Yiu, S., Xi, G., Li, R., Yi, Z., Wang, X., Hui, L. C. K., Liu, D., & Zhang, E. File fragment classification using grayscale image conversion and deep learning in digital forensics. 2018 IEEE Security and Privacy Workshops (SPW), San Francisco, CA, USA, 2018, pp. 140-147. DOI: 10.1109/SPW.2018.00029.

Hiester, L. File Fragment Classification Using Neural Networks with Lossless Representations. Bachelor Thesis, East Tennessee State University. Undergraduate Honors Theses, 2018, Paper 454, 36 p. Available at: https://dc.etsu.edu/honors/454 (accessed 25.06.2023).

Ghaleb, M., Saaim, K., Felemban, M., Al-Saleh, S. M., & Al-Mulhem, A. File Fragment Classification using Light-Weight Convolutional Neural Networks. arXiv (Cornell University), 2023. DOI: 10.48550/arxiv.2305.00656.

Liu, W., Wang, Y., Wu, K., Yap, K., & Chau, L. A Byte Sequence is Worth an Image: CNN for File Fragment Classification Using Bit Shift and n-Gram Embeddings. arXiv (Cornell University), 2023. DOI: 10.48550/arxiv.2304.06983.

Bharadwaj, S. Using convolutional neural networks to detect compression algorithms. arXiv (Cornell University), 2021. DOI: 10.48550/arxiv.2111.09034.

Haque, E., & Tozal, M. E. Byte embeddings for file fragment classification. Future Generation Computer Systems, 2022, vol. 127, pp. 448–461. DOI: 10.1016/j.future.2021.09.019.

Vulinovic, K., Ivkovic, L., Petrovic, J., Skracic, K., & Pale, P. Neural Networks for File Fragment Classification. 2019 42nd International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), Opatija, Croatia, 2019, pp. 1194-1198. DOI: 10.23919/mipro.2019.8756878.

Heo, H.-S., So, B.-M., Yang, I.-H., Yoon, S.-H., & Yu, H.-J. Automated recovery of damaged audio files using deep neural networks. Digital Investigation, 2019, vol. 30, pp. 117-126. DOI: 10.1016/j.diin.2019.07.007.

Na, G. H., Shim, K. S., Moon, K. W., Kong, S. G., Kim, E. S., & Lee, J. Frame-based recovery of corrupted video files using video codec specifications. IEEE Transactions on Image Processing, 2014, vol. 23, no. 2, pp. 517-526. DOI: 10.1109/TIP.2013.2285625.

Amrouche, S. C., & Salamani, D. Non-parametric adaptative JPEG fragments carving. Tenth International Conference on Machine Vision, Vienna, Austria, 2017, article no. 106962D. DOI: 10.1117/12.2310079.

Alghafli, K., & Martin, T. Identification and recovery of video fragments for forensics file carving. 2016 11th International Conference for Internet Technology and Secured Transactions (ICITST), Barcelona, Spain, 2016, pp. 267-272. DOI: 10.1109/ICITST.2016.7856710.

Qiu, W., Zhu, R., Guo, J., Tang, X., Liu, B., & Huang, Z. A new approach to multimedia files carving. 2014 IEEE International Conference on Bioinformatics and Bioengineering, Boca Raton, FL, USA, 2014, pp. 105-110. DOI: 10.1109/BIBE.2014.31.

Guo, J., He, J., & Huang, N. Research of Multiple-type Files Carving Method Based on Entropy. Proceedings of the 2015 4th National Conference on Electrical, Electronics and Computer Engineering, 2016, pp. 521-528. DOI: 10.2991/nceece-15.2016.98.

Ali, R. R., & Mohamad, K. M. RX_myKarve carving framework for reassembling complex fragmentations of JPEG images. Journal of King Saud University - Computer and Information Sciences, 2021, vol. 33, no. 1, pp. 21–32. DOI: 10.1016/J.JKSUCI.2018.12.007.

Al-Sharif, Z. A., Al-Khalee, A. Y., Al-Saleh, M. I., & Al-Ayyoub, M. Carving and clustering files in RAM for memory forensics. Far East Journal of Electronics and Communications, 2018, vol. 18, no. 5, pp. 695 - 722. DOI: 10.17654/ec018050695.

Zhang, L., Hao, S., & Zhang, Q. Recovering SQLite data from fragmented flash pages. Annals of Telecommunications, 2019, vol. 74, no. 7–8, pp. 451–460. DOI: 10.1007/s12243-019-00707-9.

Hilgert, J. N., Lambertz, M., Rybalka, M., & Schell, R. Syntactical Carving of PNGs and Automated Generation of Reproducible Datasets. Digital Investigation, 2019, vol. 29, pp. S22-S30. DOI: 10.1016/j.diin.2019.04.014.

Tang, Y., Fang, J., Chow, K. P., Yiu, S. M., Xu, J., Feng, B., Li, Q., & Han, Q. Recovery of heavily fragmented JPEG files. Digital Investigation, 2016, vol. 18, pp. S108-S117. DOI: 10.1016/j.diin.2016.04.016.

Ravi, A., Kumar, T. R., & Mathew, A. R. A method for carving fragmented document and image files. 2016 International Conference on Advances in Human Machine Interaction (HMI), Kodigehalli, India, 2016, pp. 1-6. DOI: 10.1109/HMI.2016.7449170.

Roussev, V., & Garfinkel, S. L. File fragment classification - The case for specialized approaches. 2009 Fourth International IEEE Workshop on Systematic Approaches to Digital Forensic Engineering, Berkeley, CA, USA, 2009, pp. 3-14. DOI: 10.1109/SADFE.2009.21.

Lin, W., & Xu, M. A Microsoft Word documents carving method base on interior virtual streams. Advanced Materials Research, 2012, vols. 433–440, pp. 3028-3032. DOI: 10.4028/www.scientific.net/AMR.433-440.3028.

Birmingham, B., Farrugia, R. A., & Vella, M. Using thumbnail affinity for fragmentation point detection of JPEG files. IEEE EUROCON 2017 -17th International Conference on Smart Technologies, Ohrid, Macedonia, 2017, pp. 3-8. DOI: 10.1109/EUROCON.2017.8011068.

Durmus, E., Korus, P., & Memon, N. Every Shred Helps: Assembling Evidence from Orphaned JPEG Fragments. IEEE Transactions on Information Forensics and Security, 2019, vol. 14, no. 9, pp. 2372-2386. DOI: 10.1109/TIFS.2019.2897912.

Chang, X., Wu, J., & Hao, F. JPEG fragment carving based on pixel similarity of MED-ED. 2019 Chinese Control Conference (CCC), Guangzhou, China, 2019, pp. 8862-8866. DOI: 10.23919/ChiCC.2019.8865161.

Uzun, E., & Sencar, H. T. JpgScraper : An Advanced Carver for JPEG Files. IEEE Transactions on Information Forensics and Security, 2020, vol. 15, pp. 1846-1857. DOI: 10.1109/TIFS.2019.2953382.

Boiko, M., & Moskalenko, V. Syntactical method for reconstructing highly fragmented OOXML files. Radioelectronic and Computer Systems, 2023, no. 1, pp. 166–182. DOI: 10.32620/reks.2023.1.14.

Hand, S., Lin, Z., Gu, G., & Thuraisingham, B. Bin-Carver: Automatic recovery of binary executable files. Digital Investigation, 2012, vol. 9, pp.S108–117. DOI: 10.1016/j.diin.2012.05.014.

Xu, M., Sun, J., Zheng, N., Qiao, T., Wu, Y., Shi, K., & Yang, T. A Novel File Carving Algorithm for EVTX Logs. Digital Forensics and Cyber Crime. ICDF2C 2017, Prague, Czech Republic, 2017, vol. 216, pp. 97–105. DOI: 10.1007/978-3-319-73697-6_7.

Memon, N., & Pal, A. Automated reassembly of file fragmented images using greedy algorithms. IEEE Transactions on Image Processing, 2006, vol. 15, no. 2, pp. 385-393. DOI: 10.1109/tip.2005.863054.

Karresand, M., Warnqvist, A., Lindahl, D., Axelsson, S., & Dyrkolbotn, G. O. Creating a Map of User Data in NTFS to Improve File Carving. Advances in Digital Forensics XV. 15th IFIP WG 11.9 International Conference, Orlando, FL, USA, 2019, pp. 133–158. DOI: 10.1007/978-3-030-28752-8_8.