Storage resources are usually organized in abstraction layers in computing systems where higher level storage (e.g. files or file systems) is constructed from lower level storage (e.g. disk volumes). Many forensic storage reconstruction techniques exist that gather data at lower layers and interpret this data to reconstruct higher layers. On the one hand, there are metadata-based reconstruction techniques that interpret metadata structures to precisely reconstruct upper layer content. On the other hand, there are pattern-based techniques (carving) that focus mainly on deleted files that cannot be reconstructed by other methods. Instances resembling the former approach are Carrier's The Sleuth Kit (TSK) as well as many commercial tools, while the latter approach is used by file carvers like Foremost and Scalpel. Based on a formalization of storage abstraction layers, we show that all these techniques can be unified within a modular reconstruction framework. We define composition operators that allow to precisely express complex reconstruction tasks that involve both metadata-based and pattern-based techniques and allow to combine their respective strengths seamlessly in forensic analysis. We present LAYR, an implementation of our approach and show that it can automatically and reliably combine different reconstruction approaches.
History
Name of Conference
Digital Forensics Research Conference (DFRWS)
CISPA Affiliation
No
Journal
Forensic Science International: Digital Investigation
Volume
33
Page Range
301006-301006
Publisher
Elsevier
Open Access Type
Unknown
BibTeX
@inproceedings{Schneider:Deifel:Milius:Freiling:2020,
title = "Unifying Metadata-Based Storage Reconstruction and Carving with LAYR",
author = "Schneider, Janine" AND "Deifel, Hans-Peter" AND "Milius, Stefan" AND "Freiling, Felix",
year = 2020,
month = 7,
journal = "Forensic Science International: Digital Investigation",
number = "DFRWS 2020 USA — Proceedings of the Twentieth Annual DFRWS USA",
pages = "301006--301006",
publisher = "Elsevier",
issn = "2666-2825",
doi = "10.1016/j.fsidi.2020.301006"
}