Analysis of false positive occurrences in formatted data recovery
Abstract
The data carving technique makes it ineffective to attempt to hide digital evidence by deleting or formatting files. This study evaluates the ability of softwares forensic data carving in recovering various files, especially .doc and .docx, even after formatting. The following softwares were selected from data carving: Foremost, Scalpel, Recuva, PhotoRec, Autopsy and Magic Rescue, all widely used and recognized in the forensic area. The evaluation of these softwares considered the false positive and true positive rate metrics, in addition to the runtime, quantity and size of the recovered files in two distinct scenarios. A dataset was built with 16,000 of files of various extensions for the experiments. The results indicated that Recuva, Autopsy and PhotoRec presented the best performances, with true positive rates exceeding 90% in all scenarios. Regarding false positives, Recuva stood out with a rate of approximately 1%, surpassing the other softwaresReferences
Ali, R. R. and Mohamad, K. M. (2021). Rx mykarve carving framework for reassembling complex fragmentations of jpeg images. Journal of King Saud University - Computer and Information Sciences, 33(1):21–32.
Blaskovic, A. K., Rusk, J. D., Parker, V. C. J., and Payne, B. R. (2023). Cybercrime and intellectual property theft: An analysis of modern digital forensics. Proceedings of the Future Technologies Conference (FTC), Springer International Publishing, 2.
Hanis, F. M., Khoshvaghti, H., Teimouri, M., and Veisi, H. (2021). A language-independent approach to classification of textual file fragments: Case study of persian, english, and chinese languages. In 2021 11th International Conference on Computer Engineering and Knowledge (ICCKE), pages 254–259.
Hilgert, J., Lambertz, M., and M. Rybalka, R. S. (2019). Syntactical carving of pngs and automated generation of reproducible datasets. Digital Investigation, 29.
Lima, S. M. L., S. H. M. T. Silva, R. P. Pinheiro, D. M. S., Lopes, P. G., Lima, R. D. T., Monteiro, J. R. O. T. A., Fernandes, S. M. M., Albuquerque, E. Q., and Santos., W. W. A. S. W. P. D. (2022). Next-generation antivirus endowed with web-server sandbox applied to audit fileless attack. Springer Nature.
Lin, X. (2018). Introductory computer forensics - a hands-on practical approach. Springer Nature.
Nurhayati, N. F. (2017). The analysis of file carving process using photorec and foremost. International Conference on Computer Applications and Information Processing Technology.
Pereira, E., Silva, W., Bezerra, S., and Araújo, J. (2019). Análise de métodos para o tratamento de arquivos falso-positivos a partir de ferramentas de recuperação de dados digitais: Uma revisão sistemática da literatura. pages 1–10.
Stanković, M. and Khan, T. M. (2022). Digital forensics tool evaluation on deleted files. digital forensics and cyber crime. ICDF2C Springer, 508.
Uzun, E. and Sencar., H. T. (2020). Jpg scraper : An advanced carver for jpeg files. IEEE Transactions on Information Forensics and Security, 15.
Blaskovic, A. K., Rusk, J. D., Parker, V. C. J., and Payne, B. R. (2023). Cybercrime and intellectual property theft: An analysis of modern digital forensics. Proceedings of the Future Technologies Conference (FTC), Springer International Publishing, 2.
Hanis, F. M., Khoshvaghti, H., Teimouri, M., and Veisi, H. (2021). A language-independent approach to classification of textual file fragments: Case study of persian, english, and chinese languages. In 2021 11th International Conference on Computer Engineering and Knowledge (ICCKE), pages 254–259.
Hilgert, J., Lambertz, M., and M. Rybalka, R. S. (2019). Syntactical carving of pngs and automated generation of reproducible datasets. Digital Investigation, 29.
Lima, S. M. L., S. H. M. T. Silva, R. P. Pinheiro, D. M. S., Lopes, P. G., Lima, R. D. T., Monteiro, J. R. O. T. A., Fernandes, S. M. M., Albuquerque, E. Q., and Santos., W. W. A. S. W. P. D. (2022). Next-generation antivirus endowed with web-server sandbox applied to audit fileless attack. Springer Nature.
Lin, X. (2018). Introductory computer forensics - a hands-on practical approach. Springer Nature.
Nurhayati, N. F. (2017). The analysis of file carving process using photorec and foremost. International Conference on Computer Applications and Information Processing Technology.
Pereira, E., Silva, W., Bezerra, S., and Araújo, J. (2019). Análise de métodos para o tratamento de arquivos falso-positivos a partir de ferramentas de recuperação de dados digitais: Uma revisão sistemática da literatura. pages 1–10.
Stanković, M. and Khan, T. M. (2022). Digital forensics tool evaluation on deleted files. digital forensics and cyber crime. ICDF2C Springer, 508.
Uzun, E. and Sencar., H. T. (2020). Jpg scraper : An advanced carver for jpeg files. IEEE Transactions on Information Forensics and Security, 15.
Published
2024-09-16
How to Cite
SILVA, Rubens K. P.; BEZERRA, Islan A.; LIMA, Sidney M. L. de; FERNANDES, Sérgio M. M..
Analysis of false positive occurrences in formatted data recovery. In: BRAZILIAN SYMPOSIUM ON CYBERSECURITY (SBSEG), 24. , 2024, São José dos Campos/SP.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 746-752.
DOI: https://doi.org/10.5753/sbseg.2024.241630.
