Yıl 2018, Cilt 21, Sayı 3, Sayfalar 731 - 737 2018-09-01

Recovering Multimedia Files from a Memory Image
Recovering Multimedia Files from a Memory Image

Ahmet Ali Süzen [1] , Kubilay Taşdelen [2]

57 69

The widespread use of digital technologies increases the size of data stored in digital media. The increased amount of stored data also brings along data security risks. One of the most important risks in personal data security is the unauthorized or accidental data deletion. There are file recovery and carving software for recovering deleted files from the storage devices. Files must be loaded into RAM to be used in the operating system. These files are stored in RAM for a certain amount of time by the memory manager. Therefore, a file opened or deleted by the user in the operating system can be found in the RAM. File carving techniques must be applied to RAM to access these files.

In this study, the file carving and the performance values of the multimedia files carved by using different signature structures with file carving software from the RAM image were compared. In the study, carving has been performed with the header and footer signatures of the used and terminated multimedia files (JPG, PNG, GIF, BMP) used in Windows 10 operating system. In the carving process, file carving durations and carving success rates are extracted using different signature structures of the same file type. In the light of these results, the performance data of multimedia file types are evaluated according to the signature structures used. The RAM image retrieval and file carving software used in the study has been developed by us as a part of the Ph.D. project. 

The widespread use of digital technologies increases the size of data stored in digital media. The increased amount of stored data also brings along data security risks. One of the most important risks in personal data security is the unauthorized or accidental data deletion. There are file recovery and carving software for recovering deleted files from the storage devices. Files must be loaded into RAM to be used in the operating system. These files are stored in RAM for a certain amount of time by the memory manager. Therefore, a file opened or deleted by the user in the operating system can be found in the RAM. File carving techniques must be applied to RAM to access these files.

In this study, the file carving and the performance values of the multimedia files carved by using different signature structures with file carving software from the RAM image were compared. In the study, carving has been performed with the header and footer signatures of the used and terminated multimedia files (JPG, PNG, GIF, BMP) used in Windows 10 operating system. In the carving process, file carving durations and carving success rates are extracted using different signature structures of the same file type. In the light of these results, the performance data of multimedia file types are evaluated according to the signature structures used. The RAM image retrieval and file carving software used in the study has been developed by us as a part of the Ph.D. project. 

  • [1] Law, Frank Y.W., K.P. Chow, Michael Y.K. Kwan, and Pierre K.Y. Lai., “Consistency Issue on Live Systems Forensics”, IEEE Future Generation Communication and Networking (FGCN): 136–40, (2007).
  • [2] (KJ) Kuchta and Kelly J., “Forensic Methodologies: A Computer Forensic Professional’s Compass!”, Information Systems Security 10(6): 42–49, (2002).
  • [3] Zanoni, M., Perin, F., Fontana, F. A., and Viscusi, G., “Pattern detection for conceptual schema recovery in data-intensive systems”, Journal of Software: Evolution and Process, 26(12), 1172–1192, (2014). [4] Povar, D., and Bhadran, V. K., “Forensic data carving. In Lecture Notes of the Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering, 53:137–148, (2011). https://doi.org/10.1007/978-3-642-19513-6_12
  • [5] Al-sharif Z. A, Bagci H and Asad A., “Towards the Memory Forensics of MS Word Documents”, Information Technology - New Generations, 558: 179–85, (2018). doi:10.1007/978-3-319-54978-1.
  • [6] Burdach, M., “Digital forensics of the physical memory” Journal of the National Cancer Institute. Monographs, 2013(47): (2013). https://doi.org/10.1093/jncimonographs/lgt036
  • [7] Hejazi, S. M., Talhi, C., and Debbabi, M., “Extraction of forensically sensitive information from windows physical memory”, Digital Investigation, 6(SUPPL.), (2009). https://doi.org/10.1016/j.diin.2009.06.003
  • [8] Quina GN, Diaz J, Park SGY and Piccirilli D., “Data restoration and file carving [Restauración de datos y el File Carving]” Iber Conf Inf Syst Technol Cist, (2017). doi:10.23919/CISTI.2017.7976035.XXX
  • [9] Vömel, S., and Freiling, F. C., “A survey of main memory acquisition and analysis techniques for the windows operating system” Digital Investigation,8:3-22,(2011). https://doi.org/10.1016/j.diin.2011.06.002
  • [10] Bui, S., Enyeart, M., and Luong, J., “Issues in Computer Forensics”, Santa Clara University Computer Retrieved from http://www.cse.scu.edu/~jholliday/COEN150sp03/projects/Forensic Investigation.pdf, (2003).
  • [11] van Baar, R. B., Alink, W., and van Ballegooij, A. R., “ Forensic memory analysis: Files mapped in memory”, Digital Investigation, 5(SUPPL.), 5:S52-S57, (2008). https://doi.org/10.1016/j.diin.2008.05.014
  • [12] Garcia, G. L., “Forensic physical memory analysis: an overview of tools and techniques”, In TKK T-110.5290 Seminar on Network Security, 207:305–320, (2007).
Birincil Dil en
Konular Mühendislik ve Temel Bilimler
Dergi Bölümü Araştırma Makalesi
Yazarlar

Yazar: Ahmet Ali Süzen (Sorumlu Yazar)

Yazar: Kubilay Taşdelen

Bibtex @araştırma makalesi { politeknik417767, journal = {Politeknik Dergisi}, issn = {}, eissn = {2147-9429}, address = {Gazi Üniversitesi}, year = {2018}, volume = {21}, pages = {731 - 737}, doi = {10.2339/politeknik.417767}, title = {Recovering Multimedia Files from a Memory Image}, key = {cite}, author = {Taşdelen, Kubilay and Süzen, Ahmet Ali} }
APA Süzen, A , Taşdelen, K . (2018). Recovering Multimedia Files from a Memory Image. Politeknik Dergisi, 21 (3), 731-737. DOI: 10.2339/politeknik.417767
MLA Süzen, A , Taşdelen, K . "Recovering Multimedia Files from a Memory Image". Politeknik Dergisi 21 (2018): 731-737 <http://dergipark.gov.tr/politeknik/issue/38733/417767>
Chicago Süzen, A , Taşdelen, K . "Recovering Multimedia Files from a Memory Image". Politeknik Dergisi 21 (2018): 731-737
RIS TY - JOUR T1 - Recovering Multimedia Files from a Memory Image AU - Ahmet Ali Süzen , Kubilay Taşdelen Y1 - 2018 PY - 2018 N1 - doi: 10.2339/politeknik.417767 DO - 10.2339/politeknik.417767 T2 - Politeknik Dergisi JF - Journal JO - JOR SP - 731 EP - 737 VL - 21 IS - 3 SN - -2147-9429 M3 - doi: 10.2339/politeknik.417767 UR - http://dx.doi.org/10.2339/politeknik.417767 Y2 - 2018 ER -
EndNote %0 Politeknik Dergisi Recovering Multimedia Files from a Memory Image %A Ahmet Ali Süzen , Kubilay Taşdelen %T Recovering Multimedia Files from a Memory Image %D 2018 %J Politeknik Dergisi %P -2147-9429 %V 21 %N 3 %R doi: 10.2339/politeknik.417767 %U 10.2339/politeknik.417767
ISNAD Süzen, Ahmet Ali , Taşdelen, Kubilay . "Recovering Multimedia Files from a Memory Image". Politeknik Dergisi 21 / 3 (Eylül 2018): 731-737. http://dx.doi.org/10.2339/politeknik.417767