Date of Award

8-2022

Document Type

Thesis

Degree Name

M.S.

Department

Computer and Information Science

Committee Chair

Michael E. Black, Ph.D.

Abstract

Obfuscating text on a hard drive can be done by utilizing the slack space of files. Text can be inserted into the area between the end of the file data and the New Technology File System (NTFS) cluster (the smallest drive space allocated to a file) that in which the file is stored, the data is hidden from traditional methods of viewing. If the hard drive is large, how does a digital forensics expert know where to look to find text that has been obfuscated? Searching through a large hard drive could take up a substantial amount of time that the expert possibly could not justify. If the digital forensics expert lacks the knowledge on how to properly search a hard drive for obfuscated clear text using data carving concepts, how will the obfuscated clear text be located on the drive and identified? To address this, an algorithm was proposed and tested, which resulted in the successful identification of clear text data in slack space with a percentage average of 99.31% identified. This algorithm is a reliable form of slack space analysis which can be used in conjunction with other data extraction methods to see the full scope of evidence on a drive.

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.