In 2014, we launched our open-access repository which offers full text access to conference proceedings from many of our events including the INC and HAISA series. These papers are free to access and distribute (subject to citing the source).
European Information Security Multi-Conference (EISMC 2013)
Title: Visualisation of allocated and unallocated data blocks in digital forensics
Author(s): Christopher Hargreaves
Keywords: Digital Forensics, Visualisation, Windows Registry
Abstract: The ability to visualise blocks within file systems as allocated or unallocated is part of many existing forensic tools, for example the 'Disk' view in EnCase. However, analysis of the file system or partitioning of a disk is only one level of analysis that can occur as part of a digital investigation. Analysis of the structure within individual files can also be useful, however, there are limited examples of visualising file based data structures.
This paper provides a discussion of the development of a prototype visualisation tool that could be used for examining application or operating system files that themselves contain allocated and unallocated blocks. An example is provided that visualises the Windows Registry and demonstrates how a visualisation could assist in identifying areas that are unallocated and therefore may contain deleted data of interest. This approach has potential applications in teaching the binary structure of files and also for data recovery in situations where code exists to process the live data from a file format, but data carving strategies for that format have not yet been developed.
Download count: 5035
How to get this paper:
PDF copy of this paper is free to download. You may distribute this copy providing you cite this page as the source.