Authors: Yanbin Tang (University of Hong Kong), Junbin Fang (Jinan University), K.P. Chow (University of Hong Kong), Siu Ming (University of Hong Kong), Jun Xu (Harbin Institute of Technology), Bo Feng (Stony Brook University), Qiong Li (Harbin Institute of Technology), Qi Han (Harbin Institute of Technology)
DFRWS USA 2016
Abstract
File carving from a damaged file system plays an important role in file recovery for identifying evidence in digital forensics. In this paper, we focus on JPEG file carving, with an emphasis on heavily fragmented cases. The difficulty lies on how to order fragmented pieces into a complete picture without sufficient decoding information. We provide a framework to tackle this problem, which consists of the following key components: (i) a new similarity metric (CED) to evaluate if two data blocks are consecutive in the same JPEG file and a fragmentation point detection algorithm based on CED; and (ii) an overall recovery algorithm to reconstruct the JPEG file from fragmented pieces. The proposed framework was verified on an image dump from an SD card of a digital camera. The results were compared to Adroit Photo Forensics (APF), a commonly used photo carving tool. In our experiments, our tool can automatically recover 97% fragmented JPEG files (versus 79% by APF).