A Method For Carving AVI Files Based On Four-character Codes And Decision Tree Algorithm

Data recovery is an important branch of information security. It can be widespreadly used in computer forensics and civilian data recovery. Research in data recovery has been for a long time, and research on data recovery on a specific platform also achieves much. File carving technlogy recovers files according to the file contents without depending on the file system metadata and is an important area in data recovery. File carving needs to be further studied due to many file formats, coding complexity and lack of relevant theories. Because this technique can restore Fragmentated files, no matter which kinds of operating system environment and file systems, it has been increasingly important in the commercial file recovery and computer forensic fields.So far, a majority of papers on file carving is about how to carve JPEG files, as well as some focus on the classification of Blocks. Reseachers pay little attention on video file carving. This paper is aimed to give a complete file carving scheme for AVI files from the view of forensics. Classification, reasembly and verification involved in the recovery process will be studied and given solutions.Aimed at AVI video files, this paper presents a complete recovery program. It solves the reasembly problem by establishing mapping functions based on the characteristics of index of AVI files. DFRWS data set is used to show how it works. In addition, the idea whether the program can be extended to an environment where multiple fragmented AVI video files coexist is discussed.Finally, a continuously restored AVI file and a fragmented AVI file are recoverd. The recovery process includes determining the mapping function, determining fragmentation point, reassembly and validation. During determining the fragmentation point, it is necessary to determine the type of some block.This paper gives a method based on the four-character codes and C4.5 algorithom to idenfiy the AVI-type blocks.To evaluate and verify the effectiveness of the scheme of the classification of AVI blocks, four experiments are done. Every recovered file should be verified to make sure that the files meet the availability and logic. Two authentication methods are given.They are automated syntax validation and manual verification. At last, the design scheme of a file carving system for AVI video files is given to verify the associated theory.