Carving of the OOXML document from volatile memory using unsupervised learning techniques

Abstract

With the drastic rise in digital crimes, emphasis is laid on the digital forensics to solve crimes. Evidences that are being extracted from the digital devices are now considered enough to prove a criminal guilty in the court room. While gathering the proofs from a system, a significant venue to look at is the primary memory (commonly named as RAM). A RAM holds the information about the current state of the system. It often occurs that the metadata of a file is deleted or is not available to the digital investigator. In such cases, the retrieval of the file from RAM becomes very challenging as data is placed at random locations in RAM and their allocation tables are not valid if power supply to the system is removed. While carving these instances that are randomly scattered across the RAM, their usefulness in law process cannot be ensured. Microsoft Open Office XML file Format (OOXML FF) is one of the most widely used format, yet it is not much explored in forensics (and carving). Our research intends to improve the technique of carving of an OOXML file where we have employed clustering to collect the chunks of same data based on some similarity feature. Numerous OOXML files are used in our experiments, where we have extracted and rearranged their textual contents using clustering techniques i.e. K mean and Hierarchical clustering. The results are quite encouraging and show that our proposed method can be used for carving of OOXML format. Our technique of extraction of OOXML document from the RAM reduces the hassle and saves ample time of the digital investigator who would otherwise have to go through every document available on the system to find the concerned document.