Research Article
PDF Zotero Mendeley EndNote BibTex Cite

Recovering Multimedia Files from a Memory Image

Year 2018, Volume 21, Issue 3, 731 - 737, 01.09.2018
https://doi.org/10.2339/politeknik.417767

Abstract

The widespread use of digital technologies increases the size of data stored in digital media. The increased amount of stored data also brings along data security risks. One of the most important risks in personal data security is the unauthorized or accidental data deletion. There are file recovery and carving software for recovering deleted files from the storage devices. Files must be loaded into RAM to be used in the operating system. These files are stored in RAM for a certain amount of time by the memory manager. Therefore, a file opened or deleted by the user in the operating system can be found in the RAM. File carving techniques must be applied to RAM to access these files.

In this study, the file carving and the performance values of the multimedia files carved by using different signature structures with file carving software from the RAM image were compared. In the study, carving has been performed with the header and footer signatures of the used and terminated multimedia files (JPG, PNG, GIF, BMP) used in Windows 10 operating system. In the carving process, file carving durations and carving success rates are extracted using different signature structures of the same file type. In the light of these results, the performance data of multimedia file types are evaluated according to the signature structures used. The RAM image retrieval and file carving software used in the study has been developed by us as a part of the Ph.D. project. 

References

  • [1] Law, Frank Y.W., K.P. Chow, Michael Y.K. Kwan, and Pierre K.Y. Lai., “Consistency Issue on Live Systems Forensics”, IEEE Future Generation Communication and Networking (FGCN): 136–40, (2007).
  • [2] (KJ) Kuchta and Kelly J., “Forensic Methodologies: A Computer Forensic Professional’s Compass!”, Information Systems Security 10(6): 42–49, (2002).
  • [3] Zanoni, M., Perin, F., Fontana, F. A., and Viscusi, G., “Pattern detection for conceptual schema recovery in data-intensive systems”, Journal of Software: Evolution and Process, 26(12), 1172–1192, (2014). [4] Povar, D., and Bhadran, V. K., “Forensic data carving. In Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, 53:137–148, (2011). https://doi.org/10.1007/978-3-642-19513-6_12
  • [5] Al-sharif Z. A, Bagci H and Asad A., “Towards the Memory Forensics of MS Word Documents”, Information Technology - New Generations, 558: 179–85, (2018). doi:10.1007/978-3-319-54978-1.
  • [6] Burdach, M., “Digital forensics of the physical memory” Journal of the National Cancer Institute. Monographs, 2013(47): (2013). https://doi.org/10.1093/jncimonographs/lgt036
  • [7] Hejazi, S. M., Talhi, C., and Debbabi, M., “Extraction of forensically sensitive information from windows physical memory”, Digital Investigation, 6(SUPPL.), (2009). https://doi.org/10.1016/j.diin.2009.06.003
  • [8] Quina GN, Diaz J, Park SGY and Piccirilli D., “Data restoration and file carving [Restauración de datos y el File Carving]” Iber Conf Inf Syst Technol Cist, (2017). doi:10.23919/CISTI.2017.7976035.XXX
  • [9] Vömel, S., and Freiling, F. C., “A survey of main memory acquisition and analysis techniques for the windows operating system” Digital Investigation,8:3-22,(2011). https://doi.org/10.1016/j.diin.2011.06.002
  • [10] Bui, S., Enyeart, M., and Luong, J., “Issues in Computer Forensics”, Santa Clara University Computer Retrieved from http://www.cse.scu.edu/~jholliday/COEN150sp03/projects/Forensic Investigation.pdf, (2003).
  • [11] van Baar, R. B., Alink, W., and van Ballegooij, A. R., “ Forensic memory analysis: Files mapped in memory”, Digital Investigation, 5(SUPPL.), 5:S52-S57, (2008). https://doi.org/10.1016/j.diin.2008.05.014
  • [12] Garcia, G. L., “Forensic physical memory analysis: an overview of tools and techniques”, In TKK T-110.5290 Seminar on Network Security, 207:305–320, (2007).

Recovering Multimedia Files from a Memory Image

Year 2018, Volume 21, Issue 3, 731 - 737, 01.09.2018
https://doi.org/10.2339/politeknik.417767

Abstract

The widespread use of digital technologies increases the size of data stored in digital media. The increased amount of stored data also brings along data security risks. One of the most important risks in personal data security is the unauthorized or accidental data deletion. There are file recovery and carving software for recovering deleted files from the storage devices. Files must be loaded into RAM to be used in the operating system. These files are stored in RAM for a certain amount of time by the memory manager. Therefore, a file opened or deleted by the user in the operating system can be found in the RAM. File carving techniques must be applied to RAM to access these files.

In this study, the file carving and the performance values of the multimedia files carved by using different signature structures with file carving software from the RAM image were compared. In the study, carving has been performed with the header and footer signatures of the used and terminated multimedia files (JPG, PNG, GIF, BMP) used in Windows 10 operating system. In the carving process, file carving durations and carving success rates are extracted using different signature structures of the same file type. In the light of these results, the performance data of multimedia file types are evaluated according to the signature structures used. The RAM image retrieval and file carving software used in the study has been developed by us as a part of the Ph.D. project. 

References

  • [1] Law, Frank Y.W., K.P. Chow, Michael Y.K. Kwan, and Pierre K.Y. Lai., “Consistency Issue on Live Systems Forensics”, IEEE Future Generation Communication and Networking (FGCN): 136–40, (2007).
  • [2] (KJ) Kuchta and Kelly J., “Forensic Methodologies: A Computer Forensic Professional’s Compass!”, Information Systems Security 10(6): 42–49, (2002).
  • [3] Zanoni, M., Perin, F., Fontana, F. A., and Viscusi, G., “Pattern detection for conceptual schema recovery in data-intensive systems”, Journal of Software: Evolution and Process, 26(12), 1172–1192, (2014). [4] Povar, D., and Bhadran, V. K., “Forensic data carving. In Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, 53:137–148, (2011). https://doi.org/10.1007/978-3-642-19513-6_12
  • [5] Al-sharif Z. A, Bagci H and Asad A., “Towards the Memory Forensics of MS Word Documents”, Information Technology - New Generations, 558: 179–85, (2018). doi:10.1007/978-3-319-54978-1.
  • [6] Burdach, M., “Digital forensics of the physical memory” Journal of the National Cancer Institute. Monographs, 2013(47): (2013). https://doi.org/10.1093/jncimonographs/lgt036
  • [7] Hejazi, S. M., Talhi, C., and Debbabi, M., “Extraction of forensically sensitive information from windows physical memory”, Digital Investigation, 6(SUPPL.), (2009). https://doi.org/10.1016/j.diin.2009.06.003
  • [8] Quina GN, Diaz J, Park SGY and Piccirilli D., “Data restoration and file carving [Restauración de datos y el File Carving]” Iber Conf Inf Syst Technol Cist, (2017). doi:10.23919/CISTI.2017.7976035.XXX
  • [9] Vömel, S., and Freiling, F. C., “A survey of main memory acquisition and analysis techniques for the windows operating system” Digital Investigation,8:3-22,(2011). https://doi.org/10.1016/j.diin.2011.06.002
  • [10] Bui, S., Enyeart, M., and Luong, J., “Issues in Computer Forensics”, Santa Clara University Computer Retrieved from http://www.cse.scu.edu/~jholliday/COEN150sp03/projects/Forensic Investigation.pdf, (2003).
  • [11] van Baar, R. B., Alink, W., and van Ballegooij, A. R., “ Forensic memory analysis: Files mapped in memory”, Digital Investigation, 5(SUPPL.), 5:S52-S57, (2008). https://doi.org/10.1016/j.diin.2008.05.014
  • [12] Garcia, G. L., “Forensic physical memory analysis: an overview of tools and techniques”, In TKK T-110.5290 Seminar on Network Security, 207:305–320, (2007).

Details

Primary Language English
Subjects Engineering
Journal Section Research Article
Authors

Ahmet Ali SÜZEN (Primary Author)
0000-0002-5871-1652


Kubilay TAŞDELEN This is me

Publication Date September 1, 2018
Application Date February 19, 2018
Published in Issue Year 2018, Volume 21, Issue 3

Cite

Bibtex @research article { politeknik417767, journal = {Politeknik Dergisi}, issn = {}, eissn = {2147-9429}, address = {Gazi Üniversitesi Teknoloji Fakültesi 06500 Teknikokullar - ANKARA}, publisher = {Gazi University}, year = {2018}, volume = {21}, pages = {731 - 737}, doi = {10.2339/politeknik.417767}, title = {Recovering Multimedia Files from a Memory Image}, key = {cite}, author = {Süzen, Ahmet Ali and Taşdelen, Kubilay} }
APA Süzen, A. A. & Taşdelen, K. (2018). Recovering Multimedia Files from a Memory Image . Politeknik Dergisi , 21 (3) , 731-737 . DOI: 10.2339/politeknik.417767
MLA Süzen, A. A. , Taşdelen, K. "Recovering Multimedia Files from a Memory Image" . Politeknik Dergisi 21 (2018 ): 731-737 <https://dergipark.org.tr/en/pub/politeknik/issue/38733/417767>
Chicago Süzen, A. A. , Taşdelen, K. "Recovering Multimedia Files from a Memory Image". Politeknik Dergisi 21 (2018 ): 731-737
RIS TY - JOUR T1 - Recovering Multimedia Files from a Memory Image AU - Ahmet Ali Süzen , Kubilay Taşdelen Y1 - 2018 PY - 2018 N1 - doi: 10.2339/politeknik.417767 DO - 10.2339/politeknik.417767 T2 - Politeknik Dergisi JF - Journal JO - JOR SP - 731 EP - 737 VL - 21 IS - 3 SN - -2147-9429 M3 - doi: 10.2339/politeknik.417767 UR - https://doi.org/10.2339/politeknik.417767 Y2 - 2021 ER -
EndNote %0 Journal of Polytechnic Recovering Multimedia Files from a Memory Image %A Ahmet Ali Süzen , Kubilay Taşdelen %T Recovering Multimedia Files from a Memory Image %D 2018 %J Politeknik Dergisi %P -2147-9429 %V 21 %N 3 %R doi: 10.2339/politeknik.417767 %U 10.2339/politeknik.417767
ISNAD Süzen, Ahmet Ali , Taşdelen, Kubilay . "Recovering Multimedia Files from a Memory Image". Politeknik Dergisi 21 / 3 (September 2018): 731-737 . https://doi.org/10.2339/politeknik.417767
AMA Süzen A. A. , Taşdelen K. Recovering Multimedia Files from a Memory Image. Politeknik Dergisi. 2018; 21(3): 731-737.
Vancouver Süzen A. A. , Taşdelen K. Recovering Multimedia Files from a Memory Image. Politeknik Dergisi. 2018; 21(3): 731-737.
IEEE A. A. Süzen and K. Taşdelen , "Recovering Multimedia Files from a Memory Image", Politeknik Dergisi, vol. 21, no. 3, pp. 731-737, Sep. 2018, doi:10.2339/politeknik.417767
 
TARANDIĞIMIZ DİZİNLER (ABSTRACTING / INDEXING)
181341319013191 13189 13187 13188 18016