LogIn / RegistrationArticles for sale
- Head office address: Moscow, 123317, Moscow City, 8th Floor, Presnenskaya Embankment, 6, bldg. 2
- article@123mi.ru
- Сортировка:
- по горящим
- по цене
- по дате
#5883. Timestamp prefix carving for filesystem metadata extraction
| July 2026 | publication date |
| Proposal available till | 17-05-2025 |
| 4 total number of authors per manuscript | 0 $ |
| The title of the journal is available only for the authors who have already paid for |
| Journal’s subject area: |
| Information Systems or another |
| place 1 | place 2 | place 3 | place 4 |
| Free | Free | Free | Free |
| 2350 $ | 1200 $ | 1050 $ | 900 $ |
Contract №5883.1   | Contract №5883.2 | Contract №5883.3 | Contract №5883.4 |
1 place - free (for sale)
2 place - free (for sale)
3 place - free (for sale)
4 place - free (for sale)
Abstract:
While file carving is a popular and effective method for extracting file content from unallocated space in a forensic image, it can be time consuming to carve for the wide variety of possible file signatures. Furthermore, file carving does not connect the discovered file to its filesystem metadata. These limitations of file carving are the advantages of Generic Metadata Time Carving, in which filesystem metadata is searched for by first finding repeated co-located timestamps using a potential timestamp carving algorithm. The potential metadata is verified by a filesystem specific parser, and the pointer within the metadata to the file data may allow for full file recovery. Currently, a limitation of the Generic Metadata Time Carving method is that it will only find metadata records that have multiple equivalent timestamps, thus missing metadata records and files with differing, but very similar, timestamps. Therefore, in order to improve the recall of the Generic Metadata Time Carving methodology, we have designed and implemented a prefix matching potential timestamp carving algorithm. We apply our experiments to realistic NTFS and Ext4 forensic images, in which we compare the precision and recall results for differing prefix lengths.
Keywords:
Carving; Digital forensics; Filesystems; Metadata
Contacts :
2 place - free (for sale)
3 place - free (for sale)
4 place - free (for sale)
Abstract:
While file carving is a popular and effective method for extracting file content from unallocated space in a forensic image, it can be time consuming to carve for the wide variety of possible file signatures. Furthermore, file carving does not connect the discovered file to its filesystem metadata. These limitations of file carving are the advantages of Generic Metadata Time Carving, in which filesystem metadata is searched for by first finding repeated co-located timestamps using a potential timestamp carving algorithm. The potential metadata is verified by a filesystem specific parser, and the pointer within the metadata to the file data may allow for full file recovery. Currently, a limitation of the Generic Metadata Time Carving method is that it will only find metadata records that have multiple equivalent timestamps, thus missing metadata records and files with differing, but very similar, timestamps. Therefore, in order to improve the recall of the Generic Metadata Time Carving methodology, we have designed and implemented a prefix matching potential timestamp carving algorithm. We apply our experiments to realistic NTFS and Ext4 forensic images, in which we compare the precision and recall results for differing prefix lengths.
Keywords:
Carving; Digital forensics; Filesystems; Metadata
Contacts :
