The preceding section presents two cases in which it is possible to recover forensic trace information through the use of optimistic decompression. When these byte patterns are identified, the tool attempts to decompress the data. This space is typically processed with regular expressions to scan for email addresses, credit card numbers, and other kinds of recognizable text, and with file carvers such as Adroit 7 and PhotoRec 8 to recover digital images, movies, and other kinds of media.Īugmenting Extraction with Optimistic Decompressionĭigital forensics tools that perform optimistic decompression operate by searching for byte patterns indicative of compressed data. This article refers to such sectors as the NF space. In many cases, additional steps are employed to recover evidence from sectors that are unallocated and cannot be mapped to deleted files or directories. The process is easy to teach, easy to practice, and easy to explain in court.
This top-down processing of computer media mirrors the way that a layperson would most likely analyze the contents of a drive. Because of varying engagement rules, most of today's tools can be programmed to process allocated files, or both allocated and deleted files. For each file, the file type is determined, text is extracted and optionally indexed, pictures and videos are processed into thumbnails, and other format-specific steps are executed. Once identified, the pipeline enumerates every directory and file on the disk image, each directory is scanned, and each file is identified. The forensic pipeline starts with the tool attempting to identify disk partition and file system structures, collectively referred to as filesystem metadata. The pipeline can be applied directly to subject media, ideally connected to the examiner's computer with a write-blocker to prevent accidental media compromise, or it can be applied to a sector-for-sector copy (a disk image) of the original media. We call this approach the forensic pipeline. Modern computer forensic tools employ more-or-less the same approach to process digital media.
The purpose of this article is to present the techniques and experimentally determine their usefulness for recovering digital trace evidence on a variety of media. Optimistic methods are generally unknown to today's digital forensics practitioners and unimplemented by today's digital forensics tools. A drive that consists solely of blank sectors will not benefit from the technique, but a drive that has been heavily used may contain important trace evidence that can be revealed through no other approach. This study gauges the overall usefulness of optimistic methods by examining the results of their application to a corpus of more than a thousand images from hard drives, USB storage devices, and flash cards (referred to here as “drives” or “drive images”).Ĭlearly, the value of optimistic techniques depends on the subject media under examination.
PKWARE MEMORY CHIPS SOFTWARE
This approach is “optimistic” because the software proceeds with the assumption that the decompression or decoding will be successful, and the results are interpreted, even if there is corruption or truncation that might prevent the recovery of the entire original data stream.
If so, the bytes are decoded and processed. The phrases optimistic decompression 3 and optimistic decoding refer to a data analysis approach in which a sequence of bytes is examined to see whether it can be decompressed or otherwise decoded.
In all cases, when these files are relocated during the course of defragmentation, or when they are deleted and partially overwritten, compressed data can be left in unallocated sectors.
PKWARE MEMORY CHIPS ZIP
pptx file formats used by Microsoft Office store content as compressed XML files in ZIP archives 6.
0 kommentar(er)
