Recovery of heavily fragmented JPEG files

Yanbin Tang; Junbin Fang; K. P. Chow; S. M. Yiu; Jun Xu; Bo Feng; Qiong Li; Qi Han

doi:10.1016/j.diin.2016.04.016

Recovery of heavily fragmented JPEG files

Yanbin Tang
, Junbin Fang
, K. P. Chow
, S. M. Yiu^*
, Jun Xu
, Bo Feng
, Qiong Li
, Qi Han

^*Corresponding author for this work

The University of Hong Kong
University of Jinan
Harbin Institute of Technology
Stony Brook University
School of Computer Science and Technology, Harbin Institute of Technology

Research output: Contribution to journal › Article › peer-review

21 Scopus citations

Abstract

File carving from damaged file system plays an important role in file recovery for identifying evidence in digital forensics. In this paper, we focus on JPEG file carving, with an emphasis on heavily fragmented cases. The difficulty lies on how to order fragmented pieces into a complete picture without sufficient decoding information. We provide a framework to tackle this problem, which consists of the following key components: (i) a new similarity metric (CED) to evaluate if two data blocks are consecutive in the same JPEG file and a fragmentation point detection algorithm based on CED; and (ii) an overall recovery algorithm to reconstruct the JPEG file from fragmented pieces. The proposed framework was verified on an image dump from a SD card of a digital camera. The results were compared to Adroit Photo Forensic (APF), a commonly used photo carving tool. In our experiments, our tool can automatically recover 97% fragmented JPEG files (versus 79% by APF).

Original language	English
Pages (from-to)	S108-S117
Journal	Digital Investigation
Volume	18
DOIs	https://doi.org/10.1016/j.diin.2016.04.016
State	Published - 7 Aug 2016
Externally published	Yes

Keywords

Color similarity
Fragmentation point
Fragmented JPEG file
JPEG file carving
Photo forensics

Access to Document

10.1016/j.diin.2016.04.016

Cite this

@article{e72417fc970d4c838fd2cf071ab66358,

title = "Recovery of heavily fragmented JPEG files",

abstract = "File carving from damaged file system plays an important role in file recovery for identifying evidence in digital forensics. In this paper, we focus on JPEG file carving, with an emphasis on heavily fragmented cases. The difficulty lies on how to order fragmented pieces into a complete picture without sufficient decoding information. We provide a framework to tackle this problem, which consists of the following key components: (i) a new similarity metric (CED) to evaluate if two data blocks are consecutive in the same JPEG file and a fragmentation point detection algorithm based on CED; and (ii) an overall recovery algorithm to reconstruct the JPEG file from fragmented pieces. The proposed framework was verified on an image dump from a SD card of a digital camera. The results were compared to Adroit Photo Forensic (APF), a commonly used photo carving tool. In our experiments, our tool can automatically recover 97\% fragmented JPEG files (versus 79\% by APF).",

keywords = "Color similarity, Fragmentation point, Fragmented JPEG file, JPEG file carving, Photo forensics",

author = "Yanbin Tang and Junbin Fang and Chow, \{K. P.\} and Yiu, \{S. M.\} and Jun Xu and Bo Feng and Qiong Li and Qi Han",

note = "Publisher Copyright: {\textcopyright} 2016 The Author(s)",

year = "2016",

month = aug,

day = "7",

doi = "10.1016/j.diin.2016.04.016",

language = "英语",

volume = "18",

pages = "S108--S117",

journal = "Digital Investigation",

issn = "1742-2876",

publisher = "Elsevier Ltd",

}

TY - JOUR

T1 - Recovery of heavily fragmented JPEG files

AU - Tang, Yanbin

AU - Fang, Junbin

AU - Chow, K. P.

AU - Yiu, S. M.

AU - Xu, Jun

AU - Feng, Bo

AU - Li, Qiong

AU - Han, Qi

PY - 2016/8/7

Y1 - 2016/8/7

N2 - File carving from damaged file system plays an important role in file recovery for identifying evidence in digital forensics. In this paper, we focus on JPEG file carving, with an emphasis on heavily fragmented cases. The difficulty lies on how to order fragmented pieces into a complete picture without sufficient decoding information. We provide a framework to tackle this problem, which consists of the following key components: (i) a new similarity metric (CED) to evaluate if two data blocks are consecutive in the same JPEG file and a fragmentation point detection algorithm based on CED; and (ii) an overall recovery algorithm to reconstruct the JPEG file from fragmented pieces. The proposed framework was verified on an image dump from a SD card of a digital camera. The results were compared to Adroit Photo Forensic (APF), a commonly used photo carving tool. In our experiments, our tool can automatically recover 97% fragmented JPEG files (versus 79% by APF).

AB - File carving from damaged file system plays an important role in file recovery for identifying evidence in digital forensics. In this paper, we focus on JPEG file carving, with an emphasis on heavily fragmented cases. The difficulty lies on how to order fragmented pieces into a complete picture without sufficient decoding information. We provide a framework to tackle this problem, which consists of the following key components: (i) a new similarity metric (CED) to evaluate if two data blocks are consecutive in the same JPEG file and a fragmentation point detection algorithm based on CED; and (ii) an overall recovery algorithm to reconstruct the JPEG file from fragmented pieces. The proposed framework was verified on an image dump from a SD card of a digital camera. The results were compared to Adroit Photo Forensic (APF), a commonly used photo carving tool. In our experiments, our tool can automatically recover 97% fragmented JPEG files (versus 79% by APF).

KW - Color similarity

KW - Fragmentation point

KW - Fragmented JPEG file

KW - JPEG file carving

KW - Photo forensics

UR - https://www.scopus.com/pages/publications/84982844594

U2 - 10.1016/j.diin.2016.04.016

DO - 10.1016/j.diin.2016.04.016

M3 - 文章

AN - SCOPUS:84982844594

SN - 1742-2876

VL - 18

SP - S108-S117

JO - Digital Investigation

JF - Digital Investigation

ER -

Recovery of heavily fragmented JPEG files

Abstract

Keywords

Access to Document

Other files and links

Fingerprint

Cite this