Abstract
There is a significant amount of research in digital forensics into analyzing file fragments or reconstructing fragmented data. At the same time, there are no recent measurements of fragmentation on current, in-use computer systems. To close this gap, we have analyzed file fragmentation from a corpus of 220 privately owned Windows laptops.
We provide a detailed report of our findings. This includes contemporary fragmentation rates for a wide variety of image-, video-, office-, database-, and archive-related extensions. Our data substantiates the earlier finding that fragments for a significant portion of fragmented files are stored out-of-order. We define metrics to measure the degree of “out-of-orderedness” and find that the average degree of out-of-orderedness is non-negligible. Finally, we find that there is a significant group of fragmented files for which reconstruction is insufficiently addressed by current tooling.
We provide a detailed report of our findings. This includes contemporary fragmentation rates for a wide variety of image-, video-, office-, database-, and archive-related extensions. Our data substantiates the earlier finding that fragments for a significant portion of fragmented files are stored out-of-order. We define metrics to measure the degree of “out-of-orderedness” and find that the average degree of out-of-orderedness is non-negligible. Finally, we find that there is a significant group of fragmented files for which reconstruction is insufficiently addressed by current tooling.
Original language | English |
---|---|
Article number | 301125 |
Number of pages | 11 |
Journal | Forensic Science International: Digital Investigation |
Volume | 38 |
DOIs | |
Publication status | Published - Oct 2021 |
Keywords
- Digital forensics
- File carving
- File fragmentation