Technical gazette, Vol. 29 No. 5, 2022.
Preliminary communication
https://doi.org/10.17559/TV-20210218122046
Analysing and Carving MS Word and PDF Files from RAM Images on Windows
Kubilay Taşdelen
; Department of Electrical Electronics Engineering, Isparta University of Applied Sciences, 32050, Isparta, Turkey
Ahmet Ali Süzen
orcid.org/0000-0002-5871-1652
; Department of Information Security Technology, Isparta University of Applied Sciences, 32050, Isparta, Turkey
Abstract
In this study, a piece of software has been developed to recover the readable data by carving MS Word and PDF files from the RAM image. String searching, signature scanning, and data carving methods are used in the design of the software. The analysis was performed on a RAM image of 14 GB by using the software that was developed. The success rate for each file was determined by comparing the recovered data to the data in the original file. It was determined that the rate of data recovery decreases as the size of the MS Word or PDF files loaded onto RAM increases. Consequently, it is aimed to be an important example of obtaining electronic evidence from volatile data in forensic informatics with the proposed study.
Keywords
electronic evidence; file carving; forensic science; image acquisition; memory analysis; memory forensics
Hrčak ID:
281688
URI
Publication date:
15.10.2022.
Visits: 1.538 *