FORENSIC DATA RECOVERY

Forensic data recovery at NICC/INCC is one of the important research activities. It is the process of recovering data from data storage media such as hard disk drives, solid-state (SSD) drives, USB flash drives, DVDs, and so on.
This can be data that is still perfectly visible on the storage medium, but it can also be data that appears to be lost due to accidental or deliberate damage by man (deletion, reinstall of OS, formatting, repartitioning, wiping, ...) or due to machine failure (bugs in software, crash of OS, failing storage medium, ...)
The most interesting data from a research point of view is the data that appears to be lost.

 

  • More specifically here at NICC we have concentrated on the recovery of photos in the JPEG format, the de facto standard format for photos in cameras, smart-phones, distribution on the internet, and so on.
    This research has resulted in a state-of-the-art tool for the recovery of JPEG files, named JPGcarve. JPGcarve has the ability to locate the individual fragments of a fragmented JPEG file on a storage medium and puzzle them together to finally recover the full JPEG file.

    JPGcarve outperforms existing JPEG file recovery tools both in execution speed and in the number of correctly recovered JPEG files.

    Our paper "JPGcarve: an Advanced Tool for Automated Recovery of Fragmented JPEG Files" has been published by the well-known scientific journal: IEEE Transactions on Information Forensics and Security (http://www.signalprocessingsociety.org/publications/periodicals/forensics/).
    In this paper we show that our tool is able to significantly outperform the best available (commercial) fragmented JPEG recovery tool in terms of both the number of recovered JPEG files, as well as in terms of the obtained processing speed.
    We also show that JPGcarve has several other advantages, including :
    - blind carving performance is not influenced by the (assumed) cluster size of the file system, making it possible to reliable carve with 512-byte sector settings (e.g., this will enable to also reliably carve multi-boot harddrives which may contain partitions with different filesystem offsets and cluster sizes).
    - text file based input and output of both initial and remaining data dump search space areas, enabling:
    - chained and/or combined usage with other tools
    - preservation of carving meta-data; output results indicate the type of file that was recovered (single-fragment JPEG, multi-fragment, embedded) and where the fragments were found
    - etc.
    Additional results, supplemental to those included in this paper, will be made available via this webpage. These results will focus on carving of large input data dumps (multi-GiB/TiB).

    Our JPGcarve tool is currently under real-life review by several of our colleagues in other ENFSI (http://enfsi.eu/) forensic institutes, after which more news about a more general availability of JPGcarve will be announced here and through various other well-known forensic data recovery channels.
    We have also continued working on a new version of our tool which already speeds up its performance even further, and which will implement several other further improvements. This new tool will be used to report on the additional “bigger data” results mentioned above.
    JPGcarve will most likely also be developed further within an EU H2020 R&D project which has recently been approved by the EC.
    Some other advances related to the recovery of “headerless” and “trace evidence” JPEG data has already been reported on during the tri-annual ENFSI conference EAFS2015.

    So “stay tuned…”, or feel free to contact us (see Contact tab).
     

  • We also have concentrated on the recovery of file data and meta-data (filename, path, times, ...) from NTFS data storage partitions.
    A specific focus has been put on the recovery from corrupted NTFS data storage partitions, because existing NTFS recovery tools seem to fail under data corruption conditions. This research has resulted in a state-of-the-art tool for NTFS data recovery, named MFTcarve.
    MFTcarve has the ability to handle corruption in the crucial data structures that lead to the NTFS file data and meta-data like for example the partition table, the boot sector and the first MFT entry in the crucial Master File Table (MFT). Thanks to this ability MFTcarve clearly outperforms existing NTFS recovery tools under data corruption conditions.
     

Last update of this page: March 21, 2016.

 

With respect to NTFS recovery, we also have completed a comparative study of the performance of NTFS recovery tools under data corruption conditions.
In the paper entitled "Performance Study of NTFS Recovery Tools Under Data Corruption Conditions" we have reported on the results of this comparative study.
For this comparative study we created 8 test data dumps with different types/levels of corruption to be able to evaluate recovery tools in a consistent and objective way:

  • D1 : not corrupted; contains 1 partition with an NTFS file system containing 2777 allocated files and 2774 deleted files stored in a directory tree of 2 levels deep; also contains 2568 remnant files.
  • D2 : copy of D1 with zeroed partition table (PT).
  • D3 : copy of D1 with zeroed boot sector (BS) and backup BS.
  • D4 : copy of D1 with zeroed first MFT entry (MFT0) in $MFT and $MFTMirr.
  • D5 : copy of D1 with zeroed PT; zeroed BS and backup BS.
  • D6 : copy of D1 with zeroed PT; zeroed MFT0 in $MFT and $MFTMirr.
  • D7 : copy of D1 with zeroed BS and backup BS; zeroed MFT0 in $MFT and $MFTMirr.
  • D8 : copy of D1 with zeroed PT; zeroed BS and backup BS; zeroed MFT0 in $MFT and $MFTMirr.

These data dumps can be downloaded by clicking on the respective shorthand names above.

“The datasets available from this website are © NICC-INCC; please request authorization to use them by sending an email to nicc-din at just.fgov.be if you would use them in any possible way (privately, professionally, …), and in particular when reporting on their use in any possible form.”