Abstract
One of the major components in Digital Forensics is the extraction of files from a criminal’s hard drives. To achieve this, several techniques are used. One of these techniques is using file carvers. File carvers are used when the system metadata or the file table is damaged but the contents of the hard drive are still intact. File carvers work on the raw fragments in the hard disk and reconstruct files by classifying the fragments and then reassembling them to form the complete file. Hence the classification of file fragments has been an important problem in the field of digital forensics. The work on this problem has mainly relied on finding the specific byte sequences in the file header and footer. However, classification based on header and footer is not reliable as they may be modified or missing. In this project, the goal is to present a machine learningbased approach for content-based analysis to recognize the file types of file fragments. It does so by training a Feed-Forward Neural Network with a 2-byte sequence histogram feature vector which is calculated for each file. These files are obtained from a publicly available file corpus named Govdocs1. The results show that content-based analysis is more reliable than relying on the header and footer data of files.
Highlights
There are several ways to restore files
If the file system index is available, standard methods use it to restore the blocks of the deleted file
In computer forensics, file carving is an act of extracting data from a disc drive or other storage device without using the file system that created the file with originality
Summary
There are several ways to restore files. If the file system index is available, standard methods use it to restore the blocks of the deleted file. As a forensics technique that recuperates records dependent on file structure and content and with no matching file system meta-data, file carving is regularly used to recover files from the unallocated space in a drive. Unallocated space alludes to the zone of the drive which no longer holds any document data as demonstrated by the record framework structures like the document table. File carving is the way toward reproducing documents by checking the crude bytes of the circle and reassembling them. This is typically done by inspecting the header (the initial not many bytes) and footer (the last couple of bytes) of a record
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
