Abstract
In digital forensics, file carving is the process of recovering files on a storage media without any file system information. Note that when a file is deleted, the file system does not zero-out the corresponding data blocks because their content will be overwritten by other new files later. Due to a deleted file may be divided into different parts or successive but partly occupied by a new file, evidence may be found in deleted file fragments. Therefore, identifying the type of a file fragment is a necessary step for effective file carving. In this paper, we proposed a file fragment type identification network architecture based on CNN (convolutional neural networks) and LSTM (Long Short-Term Memory). Specifically, we first use a trainable embedding layer to convert sparse binary file fragment into compact real-valued representations. Then, successive convolutional modules are utilized to learn higher level representation of file fragments. Finally, the obtained features are fed into LSTM for classification. Our proposed deep network architecture was trained and tested on the largest public file fragment dataset FFT-75. Experimental results show that we can achieve average accuracy of 66.5% and 78.6% for 512-bytes and 4096-bytes file fragments, respectively, which are higher than existing work.
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
