Photo recovery
Photo recovery is the process of salvaging digital photographs from damaged, failed, corrupted, or inaccessible secondary storage media when it cannot be accessed normally. Photo recovery can be considered a subset of the overall data recovery field.
Photo loss or deletion failures may be due to both hardware or software failures.
Recovering data after logical failure
Logical Damage or the inability to view photos can occur due to many reasons. The most common reasons are:
- Deletion of photos.
- Corruption of boot sector of media.
- Corruption of file system.
- Disk formatting.
- Move or Copy errors.
Photo Recovery Using File Carving
The majority of photo recovery programs work by using a technique called file carving (data carving). There are many different file carving techniques that are used to recover photos. Most of these techniques fail in the presence of file system fragmentation. Simson Garfinkel showed that on average 16% of JPEGs are fragmented,[1] which means on average 16% of jpegs are recovered partially or appear corrupt when recovered using techniques that can't handle fragmented photos.
Header-Footer Carving
In Header-Footer Carving, a recovery program attempts to recover photos based on the standard starting and ending byte signature of the photo format. To take an example, all JPEGs always begin with the hex sequence "FFD8" and they must end with the hex sequence "FFD9".
Header-Footer Carving cannot be used to recover fragmented photos, and fragmented photos will appear to be partially recovered or corrupt if incorrect data is added. Header-Footer Carving, along with Header-Size Carving, are by far the most common techniques for photo recovery. One of the first non-gui/console based programs to use this technique is PhotoRec. Use of footers can often truncate a photo, as many JPEGs contain thumbnails as an embedded object. If a file is terminated with a FFD9 it will be corrupted, unless nested FFD8/FFD9s are counted.
Header-Size Carving
In Header-Size Carving, a recovery program attempts to recover photos based on the standard starting byte signature of the photo format, along with the size of the photo that is either derived or explicitly stated in the photo format. To take an example all 24-bit Windows Bitmaps (*.bmp), begin with the letters "BM", and store the size of the file in the header. Header-Size Carving cannot be used to recover fragmented photos, and fragmented photos will appear to be partially recovered or corrupt if incorrect data is added.
File-Structure Based Carving
A more advanced form of carving, a recovery program attempts to recover photos based on detailed knowledge of the structure rules of the photo format. This will enable a recovery program to identify when a photo is not complete or fragmented, but more needs to be done to see if a fragmented photo can be recovered. This technique is rarely used by most photo recovery programs.
Validated Carving
In validated carving, a decoder is used to detect any errors in recovery of a photo. More advanced forms of validated carving occur when each part of the recovered photo is compared against the rest of the photo to see if it "fits" visually. Validated carving is superb at detecting photos that are either fragmented or have parts over-written or missing. Validated carving alone cannot be used to recover fragmented photos.
Log Carving
Log Carving occurs when a recovery program uses information left over in either file system structures or the log to recover a deleted photo. For example, occasionally NTFS will store in the logs the exact location of where the file was located prior to its deletion. A program using Log Carving will be able to then recover the photo. To be sure about the quality of recovery, Validated Carving or File-Structure based carving should also be used to validate the recovered photo.
Bi-Fragment Gap Carving
A fragmented photo recovery technique where a header and footer are identified and then all combinations of blocks between the header and footer are validated to determine which combination results in the correct recovery of the photo.[1] This technique will only work if the file is fragmented into two parts.
SmartCarving
A process by which fragmented photos are recovered by looking at blocks on the disk and determining which block is the best visual match for the photo being recovered. This is done in parallel for all blocks that are not part of a recovered file.
References
- Simson Garfinkel, Carving Contiguous and Fragmented Files with Fast Object Validation, in Proceedings of the 2007 digital forensics research workshop, DFRWS, Pittsburgh, PA, August 2007
Further reading
- Tanenbaum, A. & Woodhull, A. S. (1997). Operating Systems: Design And Implementation, 2nd ed. New York: Prentice Hall.
- Recovery of heavily fragmented JPEG files, from ScienceDirect