Recovering Multimedia Files from a Memory Image

The widespread use of digital technologies increases the size of data stored in digital media. The increased amount of stored data also brings along data security risks. One of the most important risks in personal data security is the unauthorized or accidental data deletion. There are file recovery and carving software for recovering deleted files from the storage devices. Files must be loaded into RAM to be used in the operating system. These files are stored in RAM for a certain amount of time by the memory manager. Therefore, a file opened or deleted by the user in the operating system can be found in the RAM. File carving techniques must be applied to RAM to access these files. In this study, the file carving and the performance values of the multimedia files carved by using different signature structures with file carving software from the RAM image were compared. In the study, carving has been performed with the header and footer signatures of the used and terminated multimedia files (JPG, PNG, GIF, BMP) used in Windows 10 operating system. In the carving process, file carving durations and carving success rates are extracted using different signature structures of the same file type. In the light of these results, the performance data of multimedia file types are evaluated according to the signature structures used. The RAM image retrieval and file carving software used in the study has been developed by us as a part of the Ph.D. project.

Anahtar Kelimeler:

Data recovery, file carving, multimedia files, RAM image

Recovering Multimedia Files from a Memory Image

Keywords:

Data recovery, file carving, multimedia files, RAM image,

PDF

___

[1] Law, Frank Y.W., K.P. Chow, Michael Y.K. Kwan, and Pierre K.Y. Lai., “Consistency Issue on Live Systems Forensics”, IEEE Future Generation Communication and Networking (FGCN): 136–40, (2007).
[2] (KJ) Kuchta and Kelly J., “Forensic Methodologies: A Computer Forensic Professional’s Compass!”, Information Systems Security 10(6): 42–49, (2002).
[3] Zanoni, M., Perin, F., Fontana, F. A., and Viscusi, G., “Pattern detection for conceptual schema recovery in data-intensive systems”, Journal of Software: Evolution and Process, 26(12), 1172–1192, (2014). [4] Povar, D., and Bhadran, V. K., “Forensic data carving. In Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, 53:137–148, (2011). https://doi.org/10.1007/978-3-642-19513-6_12
[5] Al-sharif Z. A, Bagci H and Asad A., “Towards the Memory Forensics of MS Word Documents”, Information Technology - New Generations, 558: 179–85, (2018). doi:10.1007/978-3-319-54978-1.
[6] Burdach, M., “Digital forensics of the physical memory” Journal of the National Cancer Institute. Monographs, 2013(47): (2013). https://doi.org/10.1093/jncimonographs/lgt036
[7] Hejazi, S. M., Talhi, C., and Debbabi, M., “Extraction of forensically sensitive information from windows physical memory”, Digital Investigation, 6(SUPPL.), (2009). https://doi.org/10.1016/j.diin.2009.06.003
[8] Quina GN, Diaz J, Park SGY and Piccirilli D., “Data restoration and file carving [Restauración de datos y el File Carving]” Iber Conf Inf Syst Technol Cist, (2017). doi:10.23919/CISTI.2017.7976035.XXX
[9] Vömel, S., and Freiling, F. C., “A survey of main memory acquisition and analysis techniques for the windows operating system” Digital Investigation,8:3-22,(2011). https://doi.org/10.1016/j.diin.2011.06.002
[10] Bui, S., Enyeart, M., and Luong, J., “Issues in Computer Forensics”, Santa Clara University Computer Retrieved from http://www.cse.scu.edu/~jholliday/COEN150sp03/projects/Forensic Investigation.pdf, (2003).
[11] van Baar, R. B., Alink, W., and van Ballegooij, A. R., “ Forensic memory analysis: Files mapped in memory”, Digital Investigation, 5(SUPPL.), 5:S52-S57, (2008). https://doi.org/10.1016/j.diin.2008.05.014
[12] Garcia, G. L., “Forensic physical memory analysis: an overview of tools and techniques”, In TKK T-110.5290 Seminar on Network Security, 207:305–320, (2007).