| Article ID | Journal | Published Year | Pages | File Type |
|---|---|---|---|---|
| 491210 | Procedia Technology | 2014 | 8 Pages |
Data recovery is a significant problem that presents a real challenge to forensics investigators today. File carvers have traditionally helped mitigate these difficulties. However, two issues still present significant challenges – 1) Prior knowledge of file types is required for building file carvers, and 2) fragmentation prevents file carvers from successful recovery. In previous research, we proposed a framework for recovering deleted files without prior knowledge of file types and with the existence of fragmentation. In this paper, we introduce the design and a functioning implementation of our system by modifying an exFat filesystem running on top of FUSE. Evaluation of the overhead of our filesystem shows only a 5% decrease in performance in write operations when compared to an unmodified exFat filesystem, and almost identical read measurements. Our system also shows significantly better recovery rates in the presence of fragmentation when compared to two selected file carvers.
