CISPA
Browse
- No file added yet -

Unifying Metadata-Based Storage Reconstruction and Carving with LAYR

Download (1.89 MB)
conference contribution
posted on 2024-09-24, 11:58 authored by Janine SchneiderJanine Schneider, Hans-Peter Deifel, Stefan Milius, Felix Freiling
Storage resources are usually organized in abstraction layers in computing systems where higher level storage (e.g. files or file systems) is constructed from lower level storage (e.g. disk volumes). Many forensic storage reconstruction techniques exist that gather data at lower layers and interpret this data to reconstruct higher layers. On the one hand, there are metadata-based reconstruction techniques that interpret metadata structures to precisely reconstruct upper layer content. On the other hand, there are pattern-based techniques (carving) that focus mainly on deleted files that cannot be reconstructed by other methods. Instances resembling the former approach are Carrier's The Sleuth Kit (TSK) as well as many commercial tools, while the latter approach is used by file carvers like Foremost and Scalpel. Based on a formalization of storage abstraction layers, we show that all these techniques can be unified within a modular reconstruction framework. We define composition operators that allow to precisely express complex reconstruction tasks that involve both metadata-based and pattern-based techniques and allow to combine their respective strengths seamlessly in forensic analysis. We present LAYR, an implementation of our approach and show that it can automatically and reliably combine different reconstruction approaches.

History

Name of Conference

Digital Forensics Research Conference (DFRWS)

CISPA Affiliation

  • No

Journal

Forensic Science International: Digital Investigation

Volume

33

Page Range

301006-301006

Publisher

Elsevier

Open Access Type

  • Unknown

BibTeX

@inproceedings{Schneider:Deifel:Milius:Freiling:2020, title = "Unifying Metadata-Based Storage Reconstruction and Carving with LAYR", author = "Schneider, Janine" AND "Deifel, Hans-Peter" AND "Milius, Stefan" AND "Freiling, Felix", year = 2020, month = 7, journal = "Forensic Science International: Digital Investigation", number = "DFRWS 2020 USA — Proceedings of the Twentieth Annual DFRWS USA", pages = "301006--301006", publisher = "Elsevier", issn = "2666-2825", doi = "10.1016/j.fsidi.2020.301006" }

Usage metrics

    Categories

    No categories selected

    Licence

    Exports

    RefWorks
    BibTeX
    Ref. manager
    Endnote
    DataCite
    NLM
    DC