Study on a carving method for deleted NTFS compressed files

Byeongyeong Yoo, Jungheum Park, Jewan Bang, Sangjin Lee

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

File carving is a method that recovers files at unallocated space without any file information and used to recover data and execute a digital forensic investigation. In general, the file carving recovers files using the inherent header and footer in files or the entire file size determined in the file header. NTFS supports a compression function for internal files itself. However, the NTFS compression function has not been considered in the file carving. Thus, most of file carving tools cannot recover NTFS compressed files. This study describes the limitation in the existing file carving tools for the NTFS compressed files and proposes a recovering method for deleted NTFS compressed files.

Original languageEnglish
Title of host publication2010 3rd International Conference on Human-Centric Computing, HumanCom 2010
DOIs
Publication statusPublished - 2010 Oct 28
Event2010 3rd International Conference on Human-Centric Computing, HumanCom 2010 - Cebu, Philippines
Duration: 2010 Aug 112010 Aug 13

Other

Other2010 3rd International Conference on Human-Centric Computing, HumanCom 2010
CountryPhilippines
CityCebu
Period10/8/1110/8/13

Fingerprint

Digital forensics

Keywords

  • Digital forensic
  • File carving
  • NTFS compressed files

ASJC Scopus subject areas

  • Computational Theory and Mathematics
  • Human-Computer Interaction
  • Software

Cite this

Yoo, B., Park, J., Bang, J., & Lee, S. (2010). Study on a carving method for deleted NTFS compressed files. In 2010 3rd International Conference on Human-Centric Computing, HumanCom 2010 [5563317] https://doi.org/10.1109/HUMANCOM.2010.5563317

Study on a carving method for deleted NTFS compressed files. / Yoo, Byeongyeong; Park, Jungheum; Bang, Jewan; Lee, Sangjin.

2010 3rd International Conference on Human-Centric Computing, HumanCom 2010. 2010. 5563317.

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Yoo, B, Park, J, Bang, J & Lee, S 2010, Study on a carving method for deleted NTFS compressed files. in 2010 3rd International Conference on Human-Centric Computing, HumanCom 2010., 5563317, 2010 3rd International Conference on Human-Centric Computing, HumanCom 2010, Cebu, Philippines, 10/8/11. https://doi.org/10.1109/HUMANCOM.2010.5563317
Yoo B, Park J, Bang J, Lee S. Study on a carving method for deleted NTFS compressed files. In 2010 3rd International Conference on Human-Centric Computing, HumanCom 2010. 2010. 5563317 https://doi.org/10.1109/HUMANCOM.2010.5563317
Yoo, Byeongyeong ; Park, Jungheum ; Bang, Jewan ; Lee, Sangjin. / Study on a carving method for deleted NTFS compressed files. 2010 3rd International Conference on Human-Centric Computing, HumanCom 2010. 2010.
@inproceedings{7f7805a03bdd4ab9b21ab6d5480169c0,
title = "Study on a carving method for deleted NTFS compressed files",
abstract = "File carving is a method that recovers files at unallocated space without any file information and used to recover data and execute a digital forensic investigation. In general, the file carving recovers files using the inherent header and footer in files or the entire file size determined in the file header. NTFS supports a compression function for internal files itself. However, the NTFS compression function has not been considered in the file carving. Thus, most of file carving tools cannot recover NTFS compressed files. This study describes the limitation in the existing file carving tools for the NTFS compressed files and proposes a recovering method for deleted NTFS compressed files.",
keywords = "Digital forensic, File carving, NTFS compressed files",
author = "Byeongyeong Yoo and Jungheum Park and Jewan Bang and Sangjin Lee",
year = "2010",
month = "10",
day = "28",
doi = "10.1109/HUMANCOM.2010.5563317",
language = "English",
isbn = "9781424475704",
booktitle = "2010 3rd International Conference on Human-Centric Computing, HumanCom 2010",

}

TY - GEN

T1 - Study on a carving method for deleted NTFS compressed files

AU - Yoo, Byeongyeong

AU - Park, Jungheum

AU - Bang, Jewan

AU - Lee, Sangjin

PY - 2010/10/28

Y1 - 2010/10/28

N2 - File carving is a method that recovers files at unallocated space without any file information and used to recover data and execute a digital forensic investigation. In general, the file carving recovers files using the inherent header and footer in files or the entire file size determined in the file header. NTFS supports a compression function for internal files itself. However, the NTFS compression function has not been considered in the file carving. Thus, most of file carving tools cannot recover NTFS compressed files. This study describes the limitation in the existing file carving tools for the NTFS compressed files and proposes a recovering method for deleted NTFS compressed files.

AB - File carving is a method that recovers files at unallocated space without any file information and used to recover data and execute a digital forensic investigation. In general, the file carving recovers files using the inherent header and footer in files or the entire file size determined in the file header. NTFS supports a compression function for internal files itself. However, the NTFS compression function has not been considered in the file carving. Thus, most of file carving tools cannot recover NTFS compressed files. This study describes the limitation in the existing file carving tools for the NTFS compressed files and proposes a recovering method for deleted NTFS compressed files.

KW - Digital forensic

KW - File carving

KW - NTFS compressed files

UR - http://www.scopus.com/inward/record.url?scp=77958193048&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=77958193048&partnerID=8YFLogxK

U2 - 10.1109/HUMANCOM.2010.5563317

DO - 10.1109/HUMANCOM.2010.5563317

M3 - Conference contribution

AN - SCOPUS:77958193048

SN - 9781424475704

BT - 2010 3rd International Conference on Human-Centric Computing, HumanCom 2010

ER -