Forensic tool will advance data recovery

New computer forensic tools will make it possible to recover more data from corrupted hard drives so long as the missing files haven't been overwritten.

New computer forensic tools will make it possible to recover more data from corrupted hard drives so long as the missing files haven't been overwritten.

Finding criminal data on cell phones and game consoles is tough

Tools designed to harvest images from disks even after they have been deleted from the file system can be adapted to seek other file formats including Word documents, says Nasir Memon, a professor at the Polytechnic Institute of New York University.

In research that he hasn't yet published, Memon says will show that techniques used to cull images can be adapted to find text files, a capability that would be attractive to businesses trying to salvage data that may be fragmented and dispersed across a corrupted drive.

The text tool will examine fragmented chunks of files that may be distributed across a disk and analyze their content to see which ones likely go together. "It looks at global differences, for example, Twain vs. Shakespeare. Syntax helps eliminate false positives," Memon says.

The tool is based on a recovery method known as SmartCarving that was discovered at NYU and is commercially sold by vendor DigitalAssembly, which was founded by former students of Memon.

SmartCarving can reclaim 10% to 15% of digital images that conventional forensic tools miss when trying to find files that have been deleted from the file registry, he says.

Traditional file recovery seeks a known header and footer for a file and gathers all the related data blocks in between. If the data blocks making up the file are fragmented, traditional tools crash when they hit a fragment of a different format that might be sandwiched between pieces of the file being sought, Memon says.

SmartCarving images involves drawing together data blocks from a single image that are arranged consecutively on a drive and linking them to other groups of data blocks based on whether they seem to blend using criteria such as pixel density and dimensions of the image.

In this way, it becomes possible to recover partial images when pieces are missing and to recover images when headers are missing, Memon says. "You look at what can be decoded and pick the best," he says.

The actual sorting is done by algorithms that graph data segments to see which are most like another based on preset criteria. The closer fragments fall on the graph, the better the fit they are considered to have.

Using the technique on photos can reassemble photos even if some of the image data is missing, resulting in a picture that has a band missing from it. The method can create approximate headers for image files as well, which results in gathering and reassembling enough pieces to recreate a version of the image that might not be as sharp as the original, Memon says.

New research adapts this technique to other file formats such as .doc files. It looks at the content in file fragments and classifies it based on syntactical similarities. This is akin to sorting a box of jigsaw puzzle pieces that contains the pieces for many puzzles so that all the pieces from each puzzle are put in separate boxes, Memon says. Each puzzle can then be assembled based on the shapes of the pieces and the image fragment printed on them.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Tim Greene

Network World
Topics: SmartCarving, security, digital forensics, corruption
Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?