ABSTRACT
We propose an automatic image and thumbnail carving tool called myKarve, which is useful in digital forensics investigation and presentation of evidential information. It is able to carve contiguous and linearly fragmented images caused by garbage, which is tested against three hypotheses to prove its authenticity. These images fall into three categories: images with one or two thumbnails or none at all; thumbnails with headers that do not follow the standard header patterns; and fragmentations caused by garbage. myKarve is designed on a new framework by extending Scalpel features to deal with thumbnail and fragmentation issues. The Validated Joint Photographic Experts Group (JPEG) Header (VJH) list and Address DataBase (ADB) are used to automatically generate work instructions in a work queue to initiate a fully automated image carving process. A shift-key-matching (SKM) technique is used to detect garbage that causes fragmentation in carved images or thumbnails before it can be cleaned. The tool is tested with Digital Forensics Research Work Shop (DFRWS) 2006 and 2007 data sets and images obtained from the Internet. myKarve is found to be a more efficient automated image and thumbnail carver compared to the original Scalpel with the following advantages: detects more headers using validated headers; carves more images and thumbnails by using the newly introduced image patterns; and is able to discard garbage from linearly fragmented images. The results from myKarve are invaluable in the fieldwork of digital forensic analysis and can produce technical evidence of cybercrime activities.
ACKNOWLEDGMENT
This work was partly supported by University Tun Hussein Onn, Malaysia.