Authors: Jan-Niclas Hilgert (Fraunhofer FKIE), Martin Lambertz (Fraunhofer FKIE), Mariia Rybalka (Fraunhofer FKIE), and Roman Schell (Fraunhofer FKIE)
DFRWS USA 2019
File carving is a technique to recover files from a storage medium without relying on a file system or other external metadata. As long as the files have been stored contiguously, most file formats are comparatively easy to carve. The moment files have been stored fragmented, the carving process becomes a highly complicated task even when the fragmentation scenario is relatively simple and most file carvers available today are not capable of restoring such files correctly.
In this paper, we apply syntactical file carving, i.e. the process of utilizing the syntax of a file format to the maximum extent, to the PNG file format. By doing so, we show that the complexity of carving files even in very convoluted fragmentation scenarios can be significantly reduced. Furthermore, we provide a prototypical implementation of a syntactical PNG file carver. In our evaluation, the carver was able to restore 98% of the test files completely and correctly, while the remaining files were at least partially recovered.
Since most of the publicly available file carving datasets do not contain PNG files, we created a custom dataset for our evaluation resembling the DFRWS forensic challenges from 2006 to 2007. To ease the creation of such datasets we implemented a dataset generation framework. Using our framework it is possible to create complex fragmentation scenarios with just a few lines of code and configuration. Through this, we hope to encourage the creation of publicly available datasets and to foster further research in the area of file carving.