-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathREADME-Folder Structure.txt
114 lines (87 loc) · 6.56 KB
/
README-Folder Structure.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
Part A - Folder Structure
1) src: contains C source file of the implemented prototypic file carver
2) external
---------------------------------------------------------------------------------------------------------------------------------
2.1) carver_output
2.1.1) results
2.1.1.1) DFRWS-2006(1)
2.1.1.2) DFRWS-2006(2)
2.1.1.3) DFRWS-2007(1)
2.1.1.4) DFRWS-2007(2)
2.1.1.5) GEN6(1)
2.1.1.6) GEN6(2)
2.1.1.7) Carving Timings.txt : Shows the typical timings of the carving process on an intel core i5 2.5GHz machine
running Ubuntu 14.04.
NOTE: (1) refers to the output generated from Sequential Carving
(2) refers to the output generated from Sequential + Fragmented Carving
Each sub-folder in folder 2.1.1 contains an additional README file for describing each recovery process.
---------------------------------------------------------------------------------------------------------------------------------
2.2) carving_comparison
This folder contains the carved output that is generated by the following
carving tools:
1. Adroit Photo Forensics output (Proprietary carving tool)
2. Scalpel output(Open source)
The carved output from these two carving tools is used for evaluating the
proposed carving method i.e The number of valid JPEG files will be compared
with each other. The more valid carved JPEG files, the more robust the file carving tool.
-----------------------------------------------------------------------------------------------------------------------------
2.2.1) Adroit Photo Forensics 2013 output: output generated by APF
This folder contains the output generated from Adroit Photo Forensic (APF).
APF is a proprietary image file carving tool and is currently one of the most robust
image file carving tool used by the Digital Forensics.
One can refer to http://digital-assembly.com/products/adroit-photo-forensics for more information.
NOTE: This tool was purchased by the University of Malta's IT Services for the evaluation of this project.
2.2.1.1) Folder structure
1. DFRWS-2006: carved output from the DFRWS-2006 raw image
2. DFRWS-2007: carved output from the DFRWS-2007 raw image
3. nps-2009-canon2-gen6: carved output from the nps-2009-canon2-gen6 disk image
2.2.1.2) Description
Important: The output generataed by APF includes images of different file types.
For this reason, the generated output can be subdivided in the following folders:
1. JPEG
2. GIF
3. PNG
4. Others
The carved file types can then be classified in different categories such as:
1. Recovery Type
1.1 Embedded in Carved: carved images that were embedded in other files
1.2 Invalid-Partially Carved: carved images that were not fully recovered
1.3 Sequentially Carved: carved images that were sequentially recovered
1.4 Smart Carved: carved images that were stored fragmented and smartly recovered
1.5 Active: carved images that were presently stored in the disk (non-deleted)
1.6 Embedded in Active: carved images that were embedded in active files
2. Validity
2.1 Invalid/Partial: contains invalid/partially carved images
2.2 Valid contains valid carved images
-----------------------------------------------------------------------------------------------------------------------------
2.2.2) Scalpel output: output generated by Scalpel
This folder contains the output generated from Scalpel which is an open-source
file carver based on the header-to-footer file carving approach.
Source code is available at: https://github.com/sleuthkit/scalpel
2.2.2.1) Folder structure
1. DFRWS-2006: carved output from the DFRWS-2006 raw image
2. DFRWS-2007: carved output from the DFRWS-2007 raw image
3. nps-2009-canon2-gen6: carved output from the nps-2009-canon2-gen6 disk image
4. scalpel.conf: configuration file for scalpel in order to recover JPEG files
Important: The generated output for each test case was MANUALLY divided in invalid
and valid folders which contain invalid and valid JPEG images respectively.
---------------------------------------------------------------------------------------------------------------------------------
2.3) test_sets - URL: https://drive.google.com/open?id=0B51b8cbLqEBHNnRqOXp4QkY5dW8
This folder can be downloaded directly from Google Drive. It contains the test sets that were both used for the evaluation of the implemented
prototypic file carver and also for measuring the performance of other file carving tools (Adroit Photo Forensics
and Scalpel). The latter was specifically intended for comparing the generated output by the proposed file carving tool
with that obtained from the other file carving tools.
2.3.1) Folder Structure
1. disks - contains the test sets
1.1 DFRWS-2006.raw: raw binary disk (details available at: http://www.dfrws.org/2006/challenge)
1.2 DFRWS-2007.raw: raw binary disk (details available at: http://www.dfrws.org/2007/challenge)
1.3 nps-2009-canon2-gen6.EO1: Encase disk image
(details available at: http://digitalcorpora.org/corp/nps/drives/nps-2009-canon2)
2. layouts - contains the corresponding file layout for each test set
-----------------------------------------------------------------------------------------------------------------------------------
3) Debug: contains compiled source files and file carver executable
3.1) src: compiled source files
3.2) Carver: file carver executable
3.3) makefile: Eclipse automatic generated makefile for compilation
3.4) objects.mk: Specifies the path of openCV library for compilation
3.5) sources.mk: src directory file generated by eclipse