Analysing and Carving MS Word and PDF Files from RAM Images on Windows

Kubilay Taşdelen; Ahmet Ali Süzen

doi:10.17559/TV-20210218122046

Tehnički Vjesnik (Jan 2022)

Analysing and Carving MS Word and PDF Files from RAM Images on Windows

Kubilay Taşdelen,
Ahmet Ali Süzen

Affiliations

Kubilay Taşdelen: Department of Electrical Electronics Engineering, Isparta University of Applied Sciences, 32050, Isparta, Turkey
Ahmet Ali Süzen: Department of Information Security Technology, Isparta University of Applied Sciences, 32050, Isparta, Turkey

DOI: https://doi.org/10.17559/TV-20210218122046
Journal volume & issue: Vol. 29, no. 5
pp. 1714 – 1720

Abstract

Read online

In this study, a piece of software has been developed to recover the readable data by carving MS Word and PDF files from the RAM image. String searching, signature scanning, and data carving methods are used in the design of the software. The analysis was performed on a RAM image of 14 GB by using the software that was developed. The success rate for each file was determined by comparing the recovered data to the data in the original file. It was determined that the rate of data recovery decreases as the size of the MS Word or PDF files loaded onto RAM increases. Consequently, it is aimed to be an important example of obtaining electronic evidence from volatile data in forensic informatics with the proposed study.

Published in Tehnički Vjesnik

ISSN: 1330-3651 (Print); 1848-6339 (Online)
Publisher: Faculty of Mechanical Engineering in Slavonski Brod, Faculty of Electrical Engineering in Osijek, Faculty of Civil Engineering in Osijek
Country of publisher: Croatia
LCC subjects: Technology: Engineering (General). Civil engineering (General)
Website: http://hrcak.srce.hr/tehnicki-vjesnik

About the journal

Abstract

Keywords