Forensic Carving from Unallocated Space
DatavetenskapComputer science - generalDataextraheringForensiskIt-forensiskIt-undersökningDigitala bevisHårddiskundersökning
Computer Forensics investigations have become more and more common while
investigating IT-related issues. From experience, hard disks, USB thumb, memory
sticks contains information that might be useful. Computer Forensics is
regulary conducted by Police, Customs, Tax investigators but also within
private companies and organisations. However, there are areas within the
storage device that are not part of the organisied structure that a file system
gives. The reason for that might be that the information has been erased by
intention, a virus destroyed the file system and so on. Areas without this
structure are referred to as Unallocated Space and there are issues to locate
specific file information within Unallocated Space. Today, two methods are
used. The first is to use specific keywords to locate a specific file. The
other method is to search for file signatures, such as file header or file
footer. However, these methods are not especially successful. During 2006-2007
the organisation DFRWS arranged two challenges to try to overcome these
shortcomings. The results from the challenges gave interesting aspects and
might be possible to work further with. Most of the specific forensic software
available do not incorperate good methods for file extraction and basically
they rely on the two methods mentioned above.