{"title":"An Automatic Carving Method for RAR File Based on Content and Structure","authors":"Yingjie Wei, Ning Zheng, Ming Xu","doi":"10.1109/ITCS.2010.23","DOIUrl":null,"url":null,"abstract":"File carving is a digital forensic technique. It aims to reconstitute a file from unstructured data sources with no knowledge of the file system. This paper presents an automatically carving method for RAR files. Since RAR is one of the most popular archive formats,and it is widely used on the digital devices to package data for transport or storage. It is important for forensic investigation to obtain the information of RAR files. We apply mapping function to locate the header and footer of an archived file, utilize the distance between the header and footer of an archived file to determine whether the archived file is fragmented, and apply enumeration to reassemble bi-fragmentation of an archived file. Finally we validate the integrity of archived file and RAR file, repairing RAR files which miss header or footer. Based on artificial data and real world data, experiments show our method can automatically carve continuous and fragmented RAR files. Moreover, the comparative experiments demonstrate that this method is better than other’s in accurateness and effectiveness.","PeriodicalId":340471,"journal":{"name":"2010 Second International Conference on Information Technology and Computer Science","volume":"27 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2010-07-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"5","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2010 Second International Conference on Information Technology and Computer Science","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/ITCS.2010.23","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 5
Abstract
File carving is a digital forensic technique. It aims to reconstitute a file from unstructured data sources with no knowledge of the file system. This paper presents an automatically carving method for RAR files. Since RAR is one of the most popular archive formats,and it is widely used on the digital devices to package data for transport or storage. It is important for forensic investigation to obtain the information of RAR files. We apply mapping function to locate the header and footer of an archived file, utilize the distance between the header and footer of an archived file to determine whether the archived file is fragmented, and apply enumeration to reassemble bi-fragmentation of an archived file. Finally we validate the integrity of archived file and RAR file, repairing RAR files which miss header or footer. Based on artificial data and real world data, experiments show our method can automatically carve continuous and fragmented RAR files. Moreover, the comparative experiments demonstrate that this method is better than other’s in accurateness and effectiveness.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
