Tongxin xuebao (Jul 2021)
Memory fragment file carving algorithm based on the reverse of the structure chain
Abstract
To address the extraction of document evidence for doc, pdf, and other common file types in the memory image, the model of fragment file carving based on memory image was proposed.Then, on the basis of the model, the fragment file carving algorithm based on the reverse of file object structure chain was designed and implemented, the algorithm was able to get file data left behind in the memory image file.The experimental results show that the proposed algorithm can successfully carve out of memory file’s metadata, and the accuracy is 100%, and in a typical application case, the accuracy of the algorithm for memory file can achieve 87.5%, far higher than disk-based file caving algorithm.