A Study On File Carving Technology Of Word Document

With the development of information technology, data recovery is a powerful approach against the crime of high-tech information. File carving is a depth data recovery technology which is independent of the meta-informaion of file system, it makes up for the deficiency in traditional data recovery effectively, and become the research hotspot in the field of computer forensics. Microsoft Word file that widely used is an important digital evidence. Therefore, the study on carving technology for Word file is very important.This paper summarizes the existing file carving technology, through deeply mines structure and content characteristic of Word file, researches in Word file carving, and completes the following four work.Firstly, this paper analyzes the existing file carving techniques in detail, and clarifies the advantages and limitations of these file carving technologies, finally, summarizes the challenges that the existing file carving technologies facing and the future direction of development.Secondly, this paper presents an automatically carving method for Word2003files base on interior virtual streams. This method utilizes the feature of interior virtual streams in the file to carving Word2003files, and it can automatically carve continuous and fragmented files. Comparative experiments on artificial and real world data set show that the carving algorithm has obvious advantages on overall performance at three aspects include the number of files carved, the accuracy and recall of results than other methods.Thirdly, the authenticity verifying method for Word2003files base on interior virtual streams in this paper is first proposed. The method can calculate the authenticity of a restored Word2003file, it is the achievement on the base of the study of the existing laws and standards of computer evidence and analyzing the internal format, content and storage character, and is proved to be feasible.At last, this paper proposes a Word2007file carving algorithm. This method makes use of the structure and content characteristic of Word2007file and combine with the existing carving technology, presents the settlement of carving problem include local-bifragment in Word2007file and non-critical parts of Word2007file data damage or loss. In this paper, comparative experiments on real world data set show that the carving algorithm has superiority than other similar algorithms.In summary, this paper presents Word file carving algorithms and authenticity verifying method which have been proved the feasibility and effectiveness by the experiments. These research achievements not only provide new approach for file carving technology in further development, but also construct the foundation for implementing practical file carving system.