Event / Presentation Title

Understanding Deleted File Decay on Removable Media using Differential Analysis

Proposal / Submission Type

Peer Reviewed Paper

Abstract

Digital content created by picture recording devices is often stored internally on the source device, on either embedded or removable media. Such storage media is typically limited in capacity and meant primarily for interim storage of the most recent image files, and these devices are frequently configured to delete older files as necessary to make room for new files. When investigations involve such devices and media, it is sometimes these older deleted files that would be of interest. It is an established fact that deleted file content may persist in part or in its entirety after deletion, and identifying the nature of file fragments on digital media has been an active research area for years. However, very little research has been conducted to understand how and why deleted file content persists (or decays) on different media and under different circumstances. The research reported here builds upon prior work establishing a methodology for the study of deleted file decay generally, and the application of that methodology to the decay of deleted files on traditional computing systems with spinning magnetic disks. In this current work, we study the decay of deleted image files on a digital camera with removable SD card storage, and we conduct preliminary experiments for direct SD card and USB storage. Our results indicate that deleted file decay is affected by the size of both the deleted and overwriting files, overwrite frequency, sector size, and cluster size. These results have implications for digital forensic investigators seeking to recover and interpret file fragments.

Comments

View the agenda session- Morning Session 3- File System Forensics

This document is currently not available here.

Share

COinS
 

Understanding Deleted File Decay on Removable Media using Differential Analysis

Digital content created by picture recording devices is often stored internally on the source device, on either embedded or removable media. Such storage media is typically limited in capacity and meant primarily for interim storage of the most recent image files, and these devices are frequently configured to delete older files as necessary to make room for new files. When investigations involve such devices and media, it is sometimes these older deleted files that would be of interest. It is an established fact that deleted file content may persist in part or in its entirety after deletion, and identifying the nature of file fragments on digital media has been an active research area for years. However, very little research has been conducted to understand how and why deleted file content persists (or decays) on different media and under different circumstances. The research reported here builds upon prior work establishing a methodology for the study of deleted file decay generally, and the application of that methodology to the decay of deleted files on traditional computing systems with spinning magnetic disks. In this current work, we study the decay of deleted image files on a digital camera with removable SD card storage, and we conduct preliminary experiments for direct SD card and USB storage. Our results indicate that deleted file decay is affected by the size of both the deleted and overwriting files, overwrite frequency, sector size, and cluster size. These results have implications for digital forensic investigators seeking to recover and interpret file fragments.