Abstract
Scalpel, a popular open source file recovery tool, performs file carving using the Boyer-Moore string search algorithm to locate headers and footers in a disk image. We show that the time required for file carving may be reduced significantly by employing multi-pattern search algorithms such as the multipattern Boyer-Moore and Aho-Corasick algorithms as well as asynchronous disk reads and multithreading as typically supported on multicore commodity PCs. Using these methods, we are able to do in-place file carving in essentially the time it takes to read the disk whose files are being carved. Since, using our methods, the limiting factor for performance is the disk read time, there is no advantage to using accelerators such as GPUs as has been proposed by others. To further speed in-place file carving, we would need a mechanism to read disk faster.
This research was supported, in part, by the National Science Foundation under grants 0829916 and CNS-0963812.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Aho, A., Corasick, M.: Efficient string matching: An aid to bibliographic search. CACM 18(6), 333–340 (1975)
Baeza-Yates, R.: Improved string searching. Software-Practice and Experience 19, 257–271 (1989)
Baeza-Yates, R., Gonnet, G.: A new approach to text searching. CACM 35(10), 74–82 (1992)
Boyer, R., Moore, J.: A fast string searching algorithm. CACM 20(10), 262–272 (1977)
Galil, Z.: On improving the worst case running time of Boyer-Moore string matching algorithm. In: 5th Colloquia on Automata, Languages and Programming. EATCS (1978)
Horspool, N.: Practical fast searching in strings. Software-Practice and Experience 10 (1980)
Pal, A., Memon, N.: The evolution of file carving. IEEE Signal Processing Magazine, 59–72 (2009)
Wu, S., Manber, U.: Agrep–a fast algorithm for multi-pattern searching, Technical Report, Department of Computer Science, University of Arizona (1994)
Richard III, G., Roussev, V.: Scalpel: A Frugal, High Performance FIle Carver. In: Digital Forensics Research Workshop (2005)
Marziale, L., Richard III, G., Roussev, V.: Massive Threading: Using GPUs to increase the performance of digit forensics tools. Science Direct (2007)
Richard III, G., Roussev, V., Marziale, L.: In-Place File Carving. Science Direct (2007)
Fisk, M., Varghese, G.: Applying Fast String Matching to Intrusion Detection. Los Alamos National Lab NM (2002)
Commentz-Walter, B.: A String Matching Algorithm Fast on the Average. In: Maurer, H.A. (ed.) ICALP 1979. LNCS, vol. 71, pp. 118–132. Springer, Heidelberg (1979)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Zha, X., Sahni, S. (2011). Fast in-Place File Carving for Digital Forensics. In: Lai, X., Gu, D., Jin, B., Wang, Y., Li, H. (eds) Forensics in Telecommunications, Information, and Multimedia. e-Forensics 2010. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 56. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-23602-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-642-23602-0_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-23601-3
Online ISBN: 978-3-642-23602-0
eBook Packages: Computer ScienceComputer Science (R0)