File Fragment Type Identification Based on CNN and LSTM

In digital forensics, file carving is the process of recovering files on a storage media without any file system information. Note that when a file is deleted, the file system does not zero-out the corresponding data blocks because their content will be overwritten by other new files later. Due to a deleted file may be divided into different parts or successive but partly occupied by a new file, evidence may be found in deleted file fragments. Therefore, identifying the type of a file fragment is a necessary step for effective file carving. In this paper, we proposed a file fragment type identification network architecture based on CNN (convolutional neural networks) and LSTM (Long Short-Term Memory). Specifically, we first use a trainable embedding layer to convert sparse binary file fragment into compact real-valued representations. Then, successive convolutional modules are utilized to learn higher level representation of file fragments. Finally, the obtained features are fed into LSTM for classification. Our proposed deep network architecture was trained and tested on the largest public file fragment dataset FFT-75. Experimental results show that we can achieve average accuracy of 66.5% and 78.6% for 512-bytes and 4096-bytes file fragments, respectively, which are higher than existing work.