Skoči na glavni sadržaj

Tehnički vjesnik, Vol. 29 No. 5, 2022.

Prethodno priopćenje

https://doi.org/10.17559/TV-20210218122046

Analysing and Carving MS Word and PDF Files from RAM Images on Windows

Kubilay Taşdelen ; Department of Electrical Electronics Engineering, Isparta University of Applied Sciences, 32050, Isparta, Turkey
Ahmet Ali Süzen orcid id orcid.org/0000-0002-5871-1652 ; Department of Information Security Technology, Isparta University of Applied Sciences, 32050, Isparta, Turkey

Puni tekst: engleski pdf 2.125 Kb

str. 1714-1720

preuzimanja: 417

citiraj

Sažetak

In this study, a piece of software has been developed to recover the readable data by carving MS Word and PDF files from the RAM image. String searching, signature scanning, and data carving methods are used in the design of the software. The analysis was performed on a RAM image of 14 GB by using the software that was developed. The success rate for each file was determined by comparing the recovered data to the data in the original file. It was determined that the rate of data recovery decreases as the size of the MS Word or PDF files loaded onto RAM increases. Consequently, it is aimed to be an important example of obtaining electronic evidence from volatile data in forensic informatics with the proposed study.

Ključne riječi

electronic evidence; file carving; forensic science; image acquisition; memory analysis; memory forensics

Hrčak ID:

281688

URI

https://hrcak.srce.hr/281688

Datum izdavanja:

15.10.2022.

Posjeta: 867 *