Photo recovery

Photo recovery is the process of salvaging digital photographs from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Photo recovery can be considered a subset of the overall data recovery field.

Photo loss or deletion failures may be due to both hardware or software failures/errors.

Recovering data after logical failure

Logical Damage or the inability to view photos can occur for several reasons. The most common reasons are:

  1. Deletion of photos
  2. Corruption of the boot sector of media
  3. Corruption of file system
  4. Disk formatting
  5. Move or copy errors

Photo recovery using file carving

The majority of photo recovery programs work by using a technique called file carving (data carving). There are many different file carving techniques that are used to recover photos. Most of these techniques fail in the presence of file system fragmentation. Simson Garfinkel showed that on average, 16% of JPEGs are fragmented,[1] which means on average 16% of JPEGs are recovered partially or appear corrupt when recovered using techniques that cannot handle fragmented photos. Header-footer carving, along with header-size carving, are by far the most common techniques for photo recovery.

In Header-footer carving, a recovery program attempts to recover photos based on the standard starting and ending byte signature of the photo format. For example, JPEGs always begin with the hex sequence "FFD8" and they must end with the hex sequence "FFD9". Header-footer carving cannot be used to recover fragmented photos, and fragmented photos will appear to be partially recovered or corrupt if incorrect data is added. Use of footers can often truncate a photo, as many JPEGs contain thumbnails as an embedded object. If a file is terminated with a FFD9 it will be corrupted, unless nested FFD8/FFD9s are counted.

Header-size carving

In Header-size carving, a recovery program attempts to recover photos based on the standard starting byte signature of the photo format, along with the size of the photo that is either derived or explicitly stated in the photo format. Header-size carving cannot be used to recover fragmented photos, and fragmented photos will appear to be partially recovered or corrupt if incorrect data is added.

File-structure carving

A more advanced form of carving, a recovery program attempts to recover photos based on detailed knowledge of the structure rules of the photo format. This will enable a recovery program to identify when a photo is not complete or fragmented, but more needs to be done to see if a fragmented photo can be recovered. This technique is rarely used by most photo recovery programs.

Validated carving

In validated carving, a decoder is used to detect any errors in recovery of a photo. More advanced forms of validated carving occur when each part of the recovered photo is compared against the rest of the photo to see if it "fits" visually. Validated carving is superb at detecting photos that are either fragmented or have parts that are over-written or missing. Validated carving alone cannot be used to recover fragmented photos.

Log carving

Log carving occurs when a recovery program uses information left over in either file system structures or the log to recover a deleted photo. For example, occasionally NTFS will store in the logs the exact location of where the file was located prior to its deletion. A program using log carving will be able to then recover the photo. To be sure about the quality of recovery, validated carving or file-structure carving should also be used to validate the recovered photo.

Bi-fragment gap carving

A fragmented photo recovery technique where a header and footer are identified and then all combinations of blocks between the header and footer are validated to determine which combination results in the correct recovery of the photo.[1] This technique will only work if the file is fragmented into two parts.

Smart carving

A process by which fragmented photos are recovered by looking at blocks on the disk and determining which block is the best visual match for the photo being recovered. This is done in parallel for all blocks that are not part of a recovered file.

References

  1. Simson Garfinkel, Carving Contiguous and Fragmented Files with Fast Object Validation, in Proceedings of the 2007 digital forensics research workshop, DFRWS, Pittsburgh, PA, August 2007

Further reading

This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.