Eindhoven University of Technology
Department of Mathematics and Computer Science
Master’s Thesis
Measuring and Improving the Quality of
File Carving Methods
by
S.J.J. Kloet
Supervisor: Prof. Dr. W.J. Fokkink
Almere, October 29, 2007
Preface
Ever since I locked myself into my room as a toddler by disassembling the
doorknob, I have been interested in security and how things work. This interest
is what led me to visit a lecture by Robert-Jan Mora and Marcel Westerhoud
of Hoffmann Forensic, which I thought would be about the recovery of deleted
files. Even though the lecture was about completely different topics than I had
expected, they had very much managed to gain my interest. One thing led to
another and about five months later I started my master’s project at Hoffmann
about. . . the recovery of deleted files.
These last eight and a half months have been a complete roller coaster ride, with
the goal of the project being expanded after three months, participation in an
international file carving challenge and a complete thesis overhaul four weeks
before the end, but it was well worth it. This has become more than just a
master’s project, it has become something that I will continue working on long
after I have graduated.
I would like to thank a whole list of people that have helped me to get where I
am today.
First of all my parents and stepparents, who have supported me in all my years
of studying, even when I switched studies after three years.
Wan Fokkink, Robert-Jan Mora and Marcel Westerhoud for their guidance and
support throughout this project. Many, many thanks to Joachim Metz for his
invaluable guidance and advice on both my thesis and the project itself.
I’d also like to thank my friends at Spacelabs, without our combined study
efforts I would never have passed each examination of my master on the first
attempt. Special thanks to Paul van Tilburg, for all his help on studying, Linux,
L
A
T
E
X, but most of all for being a great friend.
Last, but certainly not least, I’d like to thank my girlfriend Henrieke, who was
my “rots in de branding”, especially during the last stressful weeks. And who
forced me to relax when I truly needed it but refused to admit it to myself.
Bas Kloet
Almere, October 29, 2007
Summary
Recovering deleted files plays an important role in a digital forensic investiga-
tion. One of the methods that can be used to recover these deleted files is file
carving. File carving works by extracting files out of raw data, based on file
format specific characteristics present in that data. There are a number of tools
that can perform file carving, based on different techniques, but until now the
quality of these tools and techniques was unclear.
This thesis describes a quality method that was developed to measure the quality
of a tool or technique based on the results it produces. Based on the results of
these measurements on current carving tools, a number of areas were identified
that could be improved. A new carving framework was developed to address
these points of improvements, and its results were tested using the previously
developed quality method. The new carving framework achieved significantly
better results on all identified improvement areas.