Forensic Multimedia File Carving

Abstract: Distribution of video contents over the Internet has increased drastically over the past few years. With technological advancements and emergence of social media services, video content sharing has grown exponentially. An increased number of cyber crimes today belong to possession or distribution of illegal video contents over the Internet. Therefore, it is crucial for forensic examiners to have the capability of recovering and analyzing illegal video contents from seized storage devices. File carving is an advanced forensic technique used to recover deleted contents from a storage device even when there is no file system present. After recovering a deleted video file, its contents have to be analyzed manually in order to classify them. This is not only very stressful but also takes a large amount of time. In this thesis we propose a carving approach for streaming multimedia formats that allows forensic examiners to recover individual frames of a video file as images. The contents of these images then can be classified using existing techniques for forensic analysis of image sets. A carving tool based on this approach is developed for MPEG-1 video files. A number of experiments are conducted to evaluate performance of the tool. For each experiment an MPEG-1 file with different encoding parameters is used. Moreover, each experiment contains 18 runs and with each run chunk size of the input MPEG-1 file is varied in order to create different amount of disk fragmentation For video only MPEG-1 files, 87.802 % frames are fully recovered when the chunk size is equal to 124 KB. Where as in the case of MPEG-1 files containing both audio and video data 90.55 % frames are fully recovered when the chunk size is 132 KB.