Semester of Graduation

Spring 2025

Degree

Master of Science in Computer Science (MSCS)

Department

Computer Science and Engineering

Document Type

Thesis

Abstract

File carving is the process of recovering deleted files from raw disk images, and it is frequently used in forensics investigations to recover evidence from computer systems. The research community has made several attempts to design file carving tools. Many of these existing tools focus on files that are logically contiguous on the disk. However, modern systems fragment files to make efficient use of storage, and existing solutions lack the mechanisms to successfully recover fragmented files.

This thesis focuses on developing new methods to enable recovery of fragmented ELF files. Chiefly, we discuss the building and tuning of a custom convolutional neural network (CNN) capable of classifying ELF section data residing in hard drive blocks. Since many ELF executables contain a data structure called a Section Header Table (SHT) that clearly outlines what sections appear at various offsets in the file, one can correlate this offset information with the model's output to reassemble ELF files.

The final model demonstrated 95% accuracy when trained and tested across many of the standard ELF sections. Although there were some occasional false positives and false negatives, we suspect a post-processing script could minimize the practical implications when integrating with a file carving tool. Overall, this work paves the way for a new approach to reassembling fragmented ELF binaries. Future work will integrate these methods into the Scalpel file carving framework so that our approach can be evaluated against real world data.

Date

4-6-2025

Committee Chair

Golden G. Richard, III

Download

Available for download on Tuesday, March 28, 2028

Share

COinS