Reassembly and clustering bifragmented intertwined jpeg images using genetic algorithm and extreme learning machine
File carving tools are essential element of digital forensic investigation for recovering evidence data from computer disk drives. Today, JPEG image files are popular file formats that have less structured contents which make its carving possible in the absence of any file system metadata. However,...
Saved in:
Main Author: | |
---|---|
Format: | Thesis |
Language: | English English English |
Published: |
2019
|
Subjects: | |
Online Access: | http://eprints.uthm.edu.my/116/1/24p%20RABEI%20RAAD%20ALI.pdf http://eprints.uthm.edu.my/116/2/RABEI%20RAAD%20ALI%20COPYRIGHT%20DECLARATION.pdf http://eprints.uthm.edu.my/116/3/RABEI%20RAAD%20ALI%20WATERMARK.pdf http://eprints.uthm.edu.my/116/ |
Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
Summary: | File carving tools are essential element of digital forensic investigation for recovering evidence data from computer disk drives. Today, JPEG image files are popular file formats that have less structured contents which make its carving possible in the absence of any file system metadata. However, completely recovering intertwined Bifragmented JPEG images into their original form without missing any parts or data of the image is a challenging due to the intertwined case might occur with non-JPEG images such as PDF, Text, Microsoft Office or random data. In this research, a new carving framework is presented in order to address the fragmentation issues that often occur in JPEG images which is called RX_myKarve. The RX_myKarve is an extended framework from X_myKarve, which consists of the following key components: (i) an Extreme Learning Machine (ELM) neural network for clusters classification using three existing content-based features extraction (Entropy, Byte Frequency Distribution (BFD) and Rate of Change (RoC)) to improve the identification of JPEG images content and support the reassembling process; (ii) a genetic algorithm with Coherence Euclidean Distance (CED) matric and cost function to reconstruct a JPEG image from a set of deformed and fragmented clusters in the scan area. The RX_myKarve is a framework that contains both structure-based carving and content-based carving approaches. The RX_myKarve is implemented as an Automatic JPEG Carver (AJC) tool in order to test and compare its performance with the state-of-the art carvers such as RevIt, myKarve and X_myKarve. It is applied to three datasets namely DFRWS (2006 and 2007) forensic challenges datasets and a new dataset to test and evaluate the AJC tool. These datasets have complex challenges that simulate particular fragmentation cases addressed in this research. The final results show that the AJC with the aid of the RX_myKarve framework outperform the X_myKarve, myKarve and RevIt. The RX_myKarve is able to completely carve 23.8% images more than X_myKarve, 45.4% images more than myKarve and 67% images more than RevIt in which AJC tool using RX_myKarve completely solves the research problem. |
---|