| Nowadays, computer crimes and computer intrusions are common incidents along with the development of information technology. Computer forensic technology, the key technology to combat computer-related crimes, has emerged. Forensic examiners are paying more attention to the protection and recovery of digital proofs during forensic process. File carving, a special data recovery technique and predominant topic of computer forensic research, can recover files from unstructured original disk image without depending on file system. Forensic analysts can recover data from unallocated disc space or corrupted file system, memory or swap space, ensuring the carved files are original or intact.we introduces the procedure of computer forensic, especially event log forensic and its research status, discussing the difficulties that examiners need more effective file carving techniques to cope with the scenarios such as deleted or corrupted files, formatted or uninstalled file system, etc. File carving technique developed quickly in recent years, many novel methods were applied. This paper significantly researches these file carving methods and discusses each method's merit and limitation, it also learns the internal structures and content characters of many file types. The latest research results in event log file carving are discussed, and localization and challenge of existing event log file carving are summarizedBase on in-depth study of content features and internal structure of the log file, combing with the use of information statistics, data structure, semantic knowledge, we apply theory of content characters into the event log file carving technique. This file carving method can recover the EVT files from unstructured original disk image, including header/trailer/offset of trailer validation, file wrapping and internal structure validation, entropy difference validation, file fragment reassembly validation and semantic validation. Without any manual intervention, the carving method can effectively reassemble the fragments of the EVT file, especially out-of-order fragments. This method and other carving tools are tested over three real windows disc images, experimental result shows that this method is better than others.Based on the preceding experiences, theories, experiments on Windows NT event log files, this paper presents in-depth study of a brand-new log file format—EVTX file format under Windows vista system. The presented evtx file carving method which is based on content character includes some validation steps: header/chunk num/chunk check validation, chunk-based fragment search and reassembly validation, single record extraction and format transformation. This carving method can carve automatically the contiguous Evtx file and the fragmented Evtx file in the original disc image, no matter in-order or disorder. |
PDF Full Text Request