Research of Multiple-type Files Carving Method Based on Entropy
- DOI
- 10.2991/nceece-15.2016.98How to use a DOI?
- Keywords
- File Carving; File Fragments; Entropy; Bloom filter; BFD; SVM; PUP
- Abstract
File carving is a technique of recovering data from disk without depending on the File System, and the key step is the extraction and reassembly of file fragments. Efficient recognition and extraction of file fragments is not only the prerequisite of recovering file, but also the guarantee of a low false positive rate and high accuracy Digital Forensics. In this paper, when the entropy of file fragments is low, the validation algorithms I used for the extraction are header/footer validation and entropy feature extraction validation, but when the entropy of file fragments is high, besides the previous two algorithms I introduced Bloom filter feature extraction validation, byte frequency distribution (BFD) feature extraction validation and support vector machine (SVM) with supervised learning ability to detect the type of file fragments. After the extraction, I used Parallel Unique Path (PUP) for the reassembly of file fragments. I used DFRWS 2007 carving challenge data set to test my method and the result is better than only using entropy to classify multiple-type files especially in the case of high entropy.
- Copyright
- © 2016, the Authors. Published by Atlantis Press.
- Open Access
- This is an open access article distributed under the CC BY-NC license (http://creativecommons.org/licenses/by-nc/4.0/).
Cite this article
TY - CONF AU - Jun Guo AU - Jingsha He AU - Na Huang PY - 2015/12 DA - 2015/12 TI - Research of Multiple-type Files Carving Method Based on Entropy BT - Proceedings of the 2015 4th National Conference on Electrical, Electronics and Computer Engineering PB - Atlantis Press SP - 521 EP - 528 SN - 2352-5401 UR - https://doi.org/10.2991/nceece-15.2016.98 DO - 10.2991/nceece-15.2016.98 ID - Guo2015/12 ER -