Authors: Janine Schneider (Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU)), Hans-Peter Deifel (Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU)), Stefan Milius (Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU)), and Felix Freiling (Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU))

DFRWS USA 2020

Abstract

Storage resources are usually organized in abstraction layers in computing systems where higher level storage (e.g. files or file systems) is constructed from lower level storage (e.g. disk volumes).  Many forensic storage reconstruction techniques exist that gather data at lower layers and interpret this data to reconstruct higher layers. On the one hand, there are metadata-based reconstruction techniques that interpret metadata structures to precisely reconstruct upper layer content. On the other hand, there are pattern-based techniques (carving) that focus mainly on deleted files that cannot be reconstructed by other methods. Instances resembling the former approach are Carrier’s The Sleuth Kit (TSK) as well as many commercial tools, while the latter approach is used by file carvers like Foremost and Scalpel.  Based on a formalization of storage abstraction layers, we show that all these techniques can be unified within a modular reconstruction framework. We define composition operators that allow to precisely express complex reconstruction tasks that involve both metadata-based and pattern-based techniques and allow to combine their respective strengths seamlessly in forensic analysis. We present LAYR, an implementation of our approach and show that it can automatically and reliably combine different reconstruction approaches.

Downloads