Forensics filesystem with cluster-level identifiers for efficient data recovery

摘要

Recovering deleted information from a hard disk has been a long standing problem. The computer forensics community has tackled information recovery through the development of file carving techniques. Two issues, however, still present significant challenges to their on-going efforts - 1) Prior knowledge of file types is required for building file carvers including file headers and footers, and 2) fragmentation prevents file carvers from successful recovery. In the research work that we present in this paper, we propose a forensics file system that embeds a special identifier in every cluster that is either currently allocated or was in the past. The identifier keeps track of every cluster mapping the clusters to a single file irrespective of the file status - existing or deleted. We modified an exFAT implementation on FUSE to implement our forensics file system. Finally, we have been able to verify via controlled experiments that our proposed file system successfully recovers all deleted files in our test environment.