Creating Highly Specialized Fragmented File System Data Sets For Forensic Research Thesis uri icon

Overview

abstract

  • Thesis (M.S., Computer Science)--University of Idaho, June 2014 | File forensic tools examine the contents of a system's disk storage to analyze files, detect infections, examine account usages and extract information that the system's operating system cannot or does not provide. Some forensic data acquisition methods use the operating system and file system to help retrieve data. In cases where the file system is not available, or information is believed to be outside of the file system, a file carver can be used to extract files. File carving is the process of extracting information from an entire disk without metadata. This thesis looks at the effects of file fragmentation on forensic file carvers. File fragmentation occurs when the sections of disk that a file occupies are not contiguous, or if only a portion of a file is on disk. types of fragmentation and the effects they have on file carvers are discussed. File carvers often use complex algorithms for identifying and classifying file fragments. Forensic researchers are constantly improving identification and classification methods. This thesis describes a tool, Wetstone, which is intended to make data sets for forensic research easier to create and reproduce. Wetstone aims to simplify the process for creating a test data set that includes file fragmentation or has a specific layout. Easy to use file manipulation controls and reproducible data sets are the key components of Wetstone and are available through a user friendly graphical interface.

publication date

  • June 1, 2014

Other