File recovery and data extraction using automated data recovery tools – A balanced approach using Windows and Linux when working with an unknown disk image and filesystem

PDF

Authors
  1. Carbone, R.
Corporate Authors
Defence R&D Canada - Valcartier, Valcartier QUE (CAN)
Abstract
This memorandum is the direct result of the analysis of an unknown disk containing unknown data, files and filesystem. The disk was brought to an analysis team at DRDC Valcartier by an agency that desired to ascertain the research centre’s capabilities for extracting and recovering unknown forensic data from an unknown disk and, if possible, automate the process. However, a thorough analysis using various Windows and Linux-based automated data and file recovery tools has led the author to determine that automated tools, regardless of the underlying system, are not yet up to this specific challenge. In addition, the author is of the opinion that fully automated disk recovery tools will never be entirely successful. Instead, the author has determined that a manual approach to data and file extraction will be necessary in order to recover any meaningful data or files from this disk’s unknown filesystem. However, this memorandum will only examine the automated approach used by the various Windows and Linux tools. An additional follow-up study will specifically examine the required manual approach necessary for data recovery from an unknown disk using data pattern matching techniques and sector-by-sector analysis using known file signatures.

Il y a un résumé en français ici.

Report Number
DRDC-VALCARTIER-TM-2009-161 — Technical Memorandum
Date of publication
01 Aug 2009
Number of Pages
66
DSTKIM No
CA032669
CANDIS No
531895
Format(s):
Electronic Document(PDF)

Permanent link

Document 1 of 1

Date modified: