Abstract
As digital devices become more prevalent in our society, evidence relating to crimes will be more frequently found on digital devices. Computer forensics is becoming a vital tool required by law enforcement for providing data recovery of key evidence. File carving is a powerful approach for recovering data especially when file system metadata information is unavailable. Many file carving approaches have been proposed, but cannot directly apply to encrypted file recovery. In this paper, we first identify the problem of encrypted file recovery, and then propose an effective method for encrypted file recovery through recognizing the encryption algorithm and mode in use. We classify encryption modes into two categories. For each category, we introduce a corresponding mechanism for file recovery, and also propose an algorithm to recognize the encryption algorithm and mode. Finally, we theoretically analyze the accuracy rate of recognizing an entire encrypted file in terms of file types.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
The MathWorks – MATLAB and Simulink for Technical Computing, http://www.mathworks.com/
MapleSoft – Mathematics, Mmodeling, and Simulation, http://www.maplesoft.com/
Pal, A., Memon, N.: The evolution of file carving. IEEE Signal Processing Magazine 26, 59–71 (2009)
McDaniel, M., Heydari, M.: Content based file type detection algorithms. In: 36th Annu. Hawaii Int. Conf. System Sciences (HICSS 2003), Washington, D.C (2003)
Wang, K., Stolfo, S.J.: Anomalous payload-based network intrusion detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 203–222. Springer, Heidelberg (2004)
Veenman, C.J.: Statistical disk cluster classification for file carving. In: IEEE 3rd Int. Symp. Information Assurance and Security, pp. 393–398 (2007)
Karresand, M., Shahmehri, N.: File type identification of data fragments by their binary structure. In: IEEE Information Assurance Workshop, pp. 140–147 (2006)
Karresand, M., Shahmehri, N.: Oscar - file type identification of binary data in disk clusters and RAM pages. IFIP Security and Privacy in Dynamic Environments 201, 413–424 (2006)
Windows Crypto API, http://msdn.microsoft.com/enus/library/aa380255VS.85.aspx
FAT – File Allocation Table, http://en.wikipedia.org/wiki/File_Allocation_Table
TrueCrypt – Free Open-source On-the-fly Encryption, http://www.truecrypt.org/
EFS – Encrypting File System, http://www.ntfs.com/ntfs-encrypted.htm
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Lin, X., Zhang, C., Dule, T. (2011). On Achieving Encrypted File Recovery. In: Lai, X., Gu, D., Jin, B., Wang, Y., Li, H. (eds) Forensics in Telecommunications, Information, and Multimedia. e-Forensics 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 56. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23602-0_1
Download citation
DOI: https://doi.org/10.1007/978-3-642-23602-0_1
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-23601-3
Online ISBN: 978-3-642-23602-0
eBook Packages: Computer ScienceComputer Science (R0)