Unifying Metadata-Based Storage Reconstruction and Carving with LAYR

Schneider J, Milius S, Deifel HP, Freiling F (2020)

Publication Language: English

Publication Type: Conference contribution, Conference Contribution

Publication year: 2020

Conference Proceedings Title: Forensic Science International: Digital Investigation

Event location: Virtual US

URI: https://www.sciencedirect.com/science/article/pii/S2666281720302559

DOI: 10.1016/j.fsidi.2020.301006

Open Access Link: https://www.sciencedirect.com/science/article/pii/S2666281720302559

Abstract

Storage resources are usually organized in abstraction layers in computing systems where higher level storage (e.g. files or file systems) is constructed from lower level storage (e.g. disk volumes). Many forensic storage reconstruction techniques exist that gather data at lower layers and interpret this data to reconstruct higher layers. On the one hand, there are metadata-based reconstruction techniques that interpret metadata structures to precisely reconstruct upper layer content. On the other hand, there are pattern-based techniques (carving) that focus mainly on deleted files that cannot be reconstructed by other methods. Instances resembling the former approach are Carrier's The Sleuth Kit (TSK) as well as many commercial tools, while the latter approach is used by file carvers like Foremost and Scalpel. Based on a formalization of storage abstraction layers, we show that all these techniques can be unified within a modular reconstruction framework. We define composition operators that allow to precisely express complex reconstruction tasks that involve both metadata-based and pattern-based techniques and allow to combine their respective strengths seamlessly in forensic analysis. We present LAYR, an implementation of our approach and show that it can automatically and reliably combine different reconstruction approaches.

Authors with CRIS profile

Janine Schneider Graduiertenkolleg 2475 Cyberkriminalität und Forensische Informatik Stefan Milius Lehrstuhl für Informatik 8 (Theoretische Informatik) Hans-Peter Deifel Graduiertenkolleg 2475 Cyberkriminalität und Forensische Informatik Felix Freiling Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)

Related research project(s)

Cyberkriminalität und forensische Informatik (Cybercrime) Oct. 1, 2019 - March 31, 2024

How to cite

APA:

Schneider, J., Milius, S., Deifel, H.-P., & Freiling, F. (2020). Unifying Metadata-Based Storage Reconstruction and Carving with LAYR. In Elsevier (Eds.), Forensic Science International: Digital Investigation. Virtual, US.

MLA:

Schneider, Janine, et al. "Unifying Metadata-Based Storage Reconstruction and Carving with LAYR." Proceedings of the DFRWS 2020 USA, Virtual Ed. Elsevier, 2020.

BibTeX: Download