Case study of file carving in unallocated space

Authors

  • Marcelo Cirilo de Souza Instituto de Criminalística, Superintendência de Polícia Técnico-Científica, São Paulo (SP), Brasil

Keywords:

computação forense, file carving, recuperação de dados

Abstract

In computer forensic analysis is necessary to look for evidences in all partitions of the analyzed disk. However, many times the evidences were previously deleted in an attempt to hide proofs or because a long time have passed and the user did not need that file and then deleted it. Therefore, this article demonstrates how is done the analysis of deleted files, how deleted files are discovered in the unallocated area of ​​the non-volatile memories (HDD, SSD, etc.) of the hard disk driver analyzed. In order to carry out such analysis, a brief review of hash algorithms was made, for files with previously known hash values, as well as an analysis of the file headers by viewing the files in hex so that it was possible to determine the file extension, its original and its directory of origin. In order to make the practice accessible to all users, free forensic softwares were used such as Guymager, for forensics acquisition propose, and Autopsy, in order to analyze the recovered data. Although, there are free and commercial programs for forensic analysis, the interpretation of the data is necessary and it has proved to be capable of recovering and identifying files that had been erased from memory even if they had been partially overwritten.

Author Biography

Marcelo Cirilo de Souza, Instituto de Criminalística, Superintendência de Polícia Técnico-Científica, São Paulo (SP), Brasil

Chemical Engineering gradduated (UNICAMP).
Computer Engineering student (UNIVESP).
Master's student at IME (USP).
Criminal Expert in the State of São Paulo since 2017, performing analyzes in the field of Criminalistics, related to cyber crimes.

References

Darnowski, F., & Chojnacki, A. (2015). Selected Methods of File Carving and Analysis of Digital Storage Media in Computer Forensics. TELEINFORMATICS REVIEW, pp. 26-27.

Gary, P. (2001). A Road Map for Digital Forensic Research. Utica, NY: DFRWS.

Kessler, G. (09 de dezembro de 2022). File signatures table. Fonte: GCK'S FILE SIGNATURES TABLE: https://www.garykessler.net/library/file_sigs.html

Llamas, J. M. (2019). Analisis and Design of Digital Forensics and Incident Response Procedure. Madri: Universidad Politécnica de Madrid.

Rountree, D. (23 de setembro de 2011). 2 - Cryptography. Security for Microsoft Windows System Administrators, pp. 29-69.

Wu, W. (05 de janeiro de 2023). CISSP PRACTICE QUESTIONS – 20211124. Fonte: https://wentzwu.com/2021/11/24/cissp-practice-questions-20211124/

Downloads

Published

2024-04-30

How to Cite

DE SOUZA, M. C. Case study of file carving in unallocated space. Portugues, [S. l.], v. 5, n. 2, p. 66 - 78, 2024. Disponível em: https://fateccampinas.com.br/rbti/index.php/fatec/article/view/95. Acesso em: 23 feb. 2025.

Issue

Vol. 5 No. 2 (2023): RBTI

Section

Artigos

License

Copyright (c) 2023 Portugues

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License.

A Revista Brasileira em Tecnologia da Informação utiliza a licença do Creative Commons (CC), preservando assim, a integridade dos artigos em ambiente de acesso aberto.