Abstract
Because files are typically stored as sequences of data blocks, the file carving process in digital forensics involves the identification and collocation of the original blocks of files. Current file carving techniques that use the signatures of file headers and footers could be improved by first classifying each data block in the storage media as belonging to a given file type. Unfortunately, file block classification techniques tend to have low accuracy. One reason is that they do not account for compound files that contain subcomponents encoded as different data types. This paper presents a context-based classification approach that accounts for compound files and improves on block-by-block classification schemes by exploiting the contiguity of file blocks belonging to the same file on the storage media. © 2012 IFIP International Federation for Information Processing.
Author supplied keywords
Cite
CITATION STYLE
Sportiello, L., & Zanero, S. (2012). Context-based file block classification. In IFIP Advances in Information and Communication Technology (Vol. 383 AICT, pp. 67–82). Springer New York LLC. https://doi.org/10.1007/978-3-642-33962-2_5
Register to see more suggestions
Mendeley helps you to discover research relevant for your work.
