RX_myKarve carving framework for reassembling complex fragmentations of JPEG images

• Main Authors: Rabei Raad Ali, Kamaruddin Malik Mohamad
• Format: Article
• Language: English
• Published: Elsevier 2021-01-01
• Series: Journal of King Saud University: Computer and Information Sciences
• Subjects: Digital forensic; JPEG image carving; Thumbnail; Extreme learning machine; Genetic algorithm; DFRWS 2006 and 2007
• Online Access: http://www.sciencedirect.com/science/article/pii/S131915781831070X

Digital forensic aims to provide an assistance for making decisions about a crime by looking at a file content which usually involves image files such as GIF, BMP, JPEG and etc. JPEG is a very popular image file format. It has less structured contents than other images which makes its recovery possible in the absence of some file system metadata. However, an essential problem of which is fragmented JPEG file intertwined with non-JPEG files and/or Bifragmented in the scan area. This paper proposes RX_myKarve as a new file carving framework for solving a number of forensic recovery problems including fragmentation. The RX_myKarve basic design includes a structure-based and content-based carving approaches. It adopts machine learning and evolutionary algorithms in its main components of identification validation and reassembling. The identification and validation techniques encompass an Extreme Learning Machine (ELM) for identifying and filtering the image data in the scan area. The reassembling technique encompasses a genetic algorithm to reconstruct the data from fragmented pieces to a complete image. The main contribution of the paper lies on the reassembling of fragmented image file clusters in the scan area. The RX_myKarve is tested and evaluated by using the Digital Forensic Research Workshop (DFRWS) 2006 and 2007 forensic challenge datasets. The results show that the RX_myKarve is able to carve and fully recover all the giving cases of the DFRWS-2006 dataset, which are 19 images, and all the relevant cases of the DFRWS-2007 dataset, which are 18 images. This improvement in file carving is mostly attributed to the novel identification and reassembling techniques.