Digital video content is becoming an increasingly common data type in surveillance systems, education, marketing, interactive TV and social networks. The development of video compression technologies, coupled with increasing Internet bandwidth and computer performance, have boosted usage of digital video. Video content is stored on digital devices, such as mobile phones and personal and surveillance cameras. These devices are involved in many aspects of our lives. Many criminals have begun to take advantages of these devices. The goal of digital forensics is to find digital evidence that can be accepted in court. Perpetrators usually delete their evidence, format their systems or destroy their devices to hide their criminal activities. There are many techniques in the literature that can recover various data types from standard file systems such as File Allocation Table (FAT). However, there are cases in which digital forensics researchers and practitioners need to recover video files from a system with a corrupted, overwritten or unknown file system. File carving is a data recovery technique for recovering files from storage media based on file content and structure without using file system metadata. Traditional carving techniques recover video files based on their file structure. However, these techniques fail when a target file has been split into several fragments over storage media and some parts of it have been overwritten. This thesis focuses on file carving of fragmented video files. In this thesis, we present a file carving framework for the recovery and reassembly of fragmented video files into playable video files. We call this framework VidCarve. VidCarve consists of four main components: identification and recovery, weight assignment, reassembly and file construction. First, we propose a method to identify video fragments from forensic images, even if a part of the file has been overwritten or corrupted. Second, the purpose of the weight assignment component is used to calculate the weights of adjacency between the recovered video fragments. Thus, it will serve as the basis on which to determine the correct sequence of fragments for each fragmented video file in the reassembly stage. Finally, the file construction component is responsible for rebuilding the reassembled video fragments into playable video files. We have implemented a prototype, andWe have conducted several experiments to evaluate each component of VidCarve. The overall accuracy rate shows that our approach can produce forensically sound evidence and play a vital role in the recovery of digital evidence in many criminal cases.
| Date of Award | Jun 2017 |
|---|
| Original language | American English |
|---|
| Supervisor | ERNESTO Damiani (Supervisor) |
|---|
- Digital forensics
- Data recovery
- File carving
- Fragmented video files
- Fragment reassembly.
Automated forensics video file carver framework for fragmented video files
Alghafli, K. (Author). Jun 2017
Student thesis: Doctoral Thesis