| Document fragment forensics has been vital to restore deleted files from a scattered set of fragments in digital forensics. Document fragmentation is a regular occurrence in hard disks, memory cards, and other storage media. As a result, a forensic analyst examining a disk may en-counter many fragments of deleted digital files, but is unable to determine the proper sequence of fragments to rebuild the files. It is needed to design the model about document fragment, and to develop classification algorithm to identify the type of document and reassembly algorithm to restore files. Detailed researches are done about document fragment forensics in this thesis. The main works are as the following:1. The Extended Forensic and Analysis Model of Document FragmentAn extended forensic and analysis model of document fragment is presented in order to ef-ficiently investigate document fragments in storage media. The model extended the existing the forensic process of document fragment. information flow and forensic result are introduced into the model. The comparisons between existed forensic models and document fragment forensic model are investigated. So the chain of custody about digital evidence is enhanced. Forensic case shows the model has the ability to investigate document fragment in digital system.2. Document Fragment classification techniqueAt first, a three-phrase fragment classifying model is presented in order to find all fragments about a file. And a document fragment classifying algorithm based on Naive Bayes principle is given. Then Support Vector Machine is researched to improve document fragment classification. Finally the classifying algorithm based on the entropy of document fragments is proposed to classify document fragments. Experiments have provided good classification performance results about document fragment classifying algorithm.3. Document Fragment Reassembly techniqueFirst of all, a new reassembly algorithm is proposed to reassemble to image fragments. The algorithm computes the relevance measure between any fragments. Then according to the best candidate weights of all fragments, the best sequence of image fragments can be achieved. Fi-nally, the reassembly algorithm based fragments distance is proposed to reassemble fragments by information entropy principle, and the classification results showed that the algorithm can reas-semble document fragments by the entropy of fragments.4. The Estimation Principle of Forensic Capability about ModelFirstly, in order to estimate digital forensic model and forensic tools, many traditional foren-sic models are researched. Secondly, forensic challenges are discussed during digital forensic investigation. Thirdly, the estimation principle of forensic capability about digital forensic model is brought forward.
|
PDF Full Text Request