RX_myKarve carving framework for reassembling complex fragmentations of JPEG images

Digital forensic aims to provide an assistance for making decisions about a crime by looking at a file content which usually involves image files such as GIF, BMP, JPEG and etc. JPEG is a very popular image file format. It has less structured contents than other images which makes its recovery possi...

Full description

Saved in:
Bibliographic Details
Published in:Journal of King Saud University. Computer and information sciences Vol. 33; no. 1; pp. 21 - 32
Main Authors: Ali, Rabei Raad, Mohamad, Kamaruddin Malik
Format: Journal Article
Language:English
Published: Elsevier B.V 01-01-2021
Elsevier
Subjects:
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Digital forensic aims to provide an assistance for making decisions about a crime by looking at a file content which usually involves image files such as GIF, BMP, JPEG and etc. JPEG is a very popular image file format. It has less structured contents than other images which makes its recovery possible in the absence of some file system metadata. However, an essential problem of which is fragmented JPEG file intertwined with non-JPEG files and/or Bifragmented in the scan area. This paper proposes RX_myKarve as a new file carving framework for solving a number of forensic recovery problems including fragmentation. The RX_myKarve basic design includes a structure-based and content-based carving approaches. It adopts machine learning and evolutionary algorithms in its main components of identification validation and reassembling. The identification and validation techniques encompass an Extreme Learning Machine (ELM) for identifying and filtering the image data in the scan area. The reassembling technique encompasses a genetic algorithm to reconstruct the data from fragmented pieces to a complete image. The main contribution of the paper lies on the reassembling of fragmented image file clusters in the scan area. The RX_myKarve is tested and evaluated by using the Digital Forensic Research Workshop (DFRWS) 2006 and 2007 forensic challenge datasets. The results show that the RX_myKarve is able to carve and fully recover all the giving cases of the DFRWS-2006 dataset, which are 19 images, and all the relevant cases of the DFRWS-2007 dataset, which are 18 images. This improvement in file carving is mostly attributed to the novel identification and reassembling techniques.
ISSN:1319-1578
2213-1248
DOI:10.1016/j.jksuci.2018.12.007