File Recovery Method in NTFS-Based Damaged RAID System

Jong Hyun Choi, Sangjin Lee

Research output: Contribution to journalArticlepeer-review

Abstract

Due to the recent demand for mass storage devices, a redundant array of independent disks (RAID) is used in network-attached storage (NAS), direct-attached storage (DAS), servers, and workstations in addition to laptops and PCs. RAID makes multiple disks into volumes, and alternately stores stripe sizes on member disks. Due to these characteristics, RAID systems create several research issues in digital forensics. One of them, a damaged RAID system, is a case where the RAID configuration information is known, but some member disks are lost. The damaged RAID system has lost some member disks, so it stores a striped filesystem and files when reassembled into volumes. Striped file systems and files are distinctive forms in which data is fragmented within volumes so that meaningful data must be found in the fragmented data. This form is not supported by previous research or other digital forensics tools, and is unknown. In this paper, targeting the NTFS file system, which is the most used file system, we propose and verify a file recovery method from a damaged RAID system by combining RAID reconstruction, file system analysis, striped file system analysis, file carving, and striped file analysis.

Original languageEnglish
Article number40
JournalHuman-centric Computing and Information Sciences
Volume12
DOIs
Publication statusPublished - 2022

Keywords

  • Damaged raid
  • File recovery
  • Striped file
  • Striped file system

ASJC Scopus subject areas

  • Computer Science(all)

Fingerprint

Dive into the research topics of 'File Recovery Method in NTFS-Based Damaged RAID System'. Together they form a unique fingerprint.

Cite this