Forensik Digital

Pertemuan 09

Teknik Recovery Data dan File Carving

Mata Kuliah: Digital Forensic for Military Purposes | 3 SKS

🎯 Capaian Pembelajaran

Setelah pertemuan ini, mahasiswa mampu:

Memahami prinsip penghapusan file dan mekanisme data remnants
Menjelaskan konsep file carving dan teknik identifikasi file
Melakukan recovery data terhapus menggunakan berbagai tools
Menerapkan teknik file carving pada unallocated space
Mengidentifikasi file berdasarkan header/footer signatures
Menangani tantangan recovery pada SSD dan damaged media
Menggunakan hex editor untuk analisis manual file signature

📋 Agenda Hari Ini

Bagian 1

Prinsip Penghapusan File
Data Remnants
Slack Space
Unallocated Space

Bagian 2

File Carving Concepts
File Signatures
Recovery Tools
SSD Challenges

🗑️ Mekanisme Penghapusan File

Ketika file "dihapus", data sebenarnya TIDAK dihapus secara fisik hingga area tersebut ditimpa oleh data baru!

Yang terjadi saat delete:

Pointer Removal: Entry di MFT/FAT dihapus
Space Marking: Cluster ditandai "available"
Data Remains: Data masih ada di disk!

Tipe-Tipe Penghapusan

Tipe	Mekanisme	Recoverable?	Tingkat
Normal Delete	Pointer dihapus	✓ Ya	Mudah
Shift+Delete	Bypass Recycle Bin	✓ Ya	Mudah
Format Quick	Rebuild file system	△ Sebagian	Sedang
Format Full	Overwrite zeros	△ Sebagian	Sulit
Secure Delete	Multiple overwrites	✗ Tidak	Sangat Sulit
TRIM (SSD)	Garbage collection	✗ Tidak	Hampir Mustahil

📍 Lokasi Data Remnants

Unallocated Space
Area tidak dialokasikan, sumber utama deleted files

Slack Space
Ruang tidak terpakai di akhir cluster (RAM slack + File slack)

Free Space
Area previously allocated, masih ada metadata

Bad Sectors
Sektor "bad" tapi masih bisa dibaca dengan tools khusus

Slack Space: Contoh

Skenario: File 2,100 bytes pada cluster 4 KB (8 sektor × 512 bytes)


Cluster (4 KB = 8 sektor @ 512 bytes):
├─ Sektor 1-4: Data file (2,048 bytes)
├─ Sektor 5: 52 bytes data
│  └─ RAM Slack: 460 bytes ← Data sensitif!
├─ Sektor 6-8: File Slack (1,536 bytes)
│  └─ Data dari file sebelumnya!

Total Slack: 1,996 bytes (~49% cluster)

⚠️ Slack space dapat berisi remnants data sensitif!

Recovery Potential: Sistem File

File System	Recovery Rate	Faktor Kunci
FAT32	90%	Simple structure, minimal metadata deletion
exFAT	85%	Similar to FAT, no journaling
NTFS	80%	MFT records, journaling, compression
ext4	65%	Deleted entries zeroed
APFS	45%	Encryption by default, snapshot management

💡 FAT32 paling "forensics-friendly"

🔪 File Carving: Definisi

File Carving adalah teknik untuk mengekstrak file dari unallocated space atau image forensik tanpa menggunakan metadata sistem file, melainkan berdasarkan struktur internal file (signatures, headers, footers).

Diperlukan ketika:

File system metadata rusak atau tidak tersedia
File telah dihapus sepenuhnya
Disk di-format atau di-corrupt
Investigasi pada raw binary data

🔑 File Signatures (Magic Bytes)

Setiap tipe file memiliki signature unik di header/footer:

File Type	Extension	Header (Hex)	Footer (Hex)
JPEG	.jpg	`FF D8 FF`	`FF D9`
PNG	.png	`89 50 4E 47 0D 0A 1A 0A`	`49 45 4E 44 AE 42 60 82`
PDF	.pdf	`25 50 44 46` (%PDF)	`25 25 45 4F 46` (%%EOF)
ZIP	.zip	`50 4B 03 04` (PK..)	`50 4B 05 06`
EXE	.exe	`4D 5A` (MZ)	-

Contoh: Analisis Header JPEG


Offset   Hex                            ASCII
00000000 FF D8 FF E0 00 10 4A 46 49 46  ÿØÿà..JFIF
00000010 00 01 01 01 00 48 00 48 00 00  .....H.H..
         │  │  │  │           │  │  │
         │  │  │  │           └──────── JFIF identifier
         │  │  └─└─────────────────── APP0 marker
         └─└────────────────────────── JPEG SOI

FF D8 FF E0 = JPEG Start of Image (SOI)

4A 46 49 46 = "JFIF" dalam ASCII

✓ Confirmed: Valid JPEG file

Mengapa Signature, Bukan Extension?

❌ Extension-based

Mudah dimanipulasi
File tanpa extension
Extension mismatch
Malware menyamar

✓ Signature-based

Verifikasi struktur internal
Bekerja tanpa metadata
Deteksi file mismatch
Ground truth

Contoh: File bernama document.pdf dengan header FF D8 FF E0
→ Extension: PDF | Signature: JPEG | Reality: JPEG dengan nama salah!

Teknik File Carving

Header/Footer Carving
Mencari pasangan header-footer yang sesuai

Header/Size Carving
Size information dalam header (PNG, EXE)

Block-based Carving
Per-block extraction untuk fragmented files

Statistical Carving
Entropy analysis, ML classification

🛠️ Tool 1: Recuva

Features

User-friendly GUI
Deep scan capability
Preview before recovery
Multiple file systems

Recovery Status

🟢 Excellent (95-100%)
🟡 Good (60-90%)
🔴 Poor (10-50%)
⚫ Unrecoverable (<5%)

⚠️ CRITICAL: JANGAN save hasil recovery ke drive yang sama dengan sumber! Akan overwrite data yang sedang di-recover.

🛠️ Tool 2: PhotoRec

Open-source, cross-platform, signature-based carving tool

Key Features:

Signature-based: Ignores file system
500+ formats: Images, videos, documents, databases
Cross-platform: Windows, Linux, Mac
Free: Open-source (GPL)

⚠️ Limitation: Tidak mempertahankan filename dan folder structure asli

PhotoRec: Struktur Output


Destination Folder:
├─ recup_dir.1/
│   ├─ f0000001.jpg  ← Generic sequential names
│   ├─ f0000002.pdf
│   ├─ f0000003.png
│   └─ ... (up to 500 files per directory)
├─ recup_dir.2/
│   ├─ f0000501.docx
│   └─ ...
└─ report.xml        ← Recovery report

Why no original names?

PhotoRec carves berdasarkan signatures, tidak menggunakan MFT/FAT metadata (filename, path, timestamps tersimpan terpisah dari file content)

🛠️ Tool 3 & 4: Foremost vs Scalpel

Feature	Foremost	Scalpel
Threading	Single-threaded	Multi-threaded
Speed	~100 MB/s	~250 MB/s (2-3x)
Memory	~100 MB	~300 MB
Preview	No	Yes (-p flag)
Best For	Small images (<10 GB)	Large images (>100 GB)

💡 Scalpel recommended untuk large-scale forensic investigations

🛠️ Tool 5: Autopsy

Integrated file carving dalam case management:

Advantages

GUI-based workflow
Case management
Automatic timeline
Built-in reporting
Hash database
Tagging system

Carving Modules

Photorec Carver
File Type Identification
Extension Mismatch Detector
Tika MIME Type Detection

✓ Best untuk military investigations: Chain of custody, documentation, professional reporting

🔍 Manual Carving: HxD Hex Editor

Workflow manual extraction:

Step 1: Open image/drive (read-only mode)
Step 2: Search signature (Ctrl+F) → Hex values
Step 3: Identify boundaries (header + footer)
Step 4: Select byte range → Copy
Step 5: New file → Paste → Save
Step 6: Validate extracted file

⚠️ Always include footer dalam extraction!

💾 Database Carving: SQLite

SQLite Signature: 53 51 4C 69 74 65 20 66 6F 72 6D 61 74 20 33 00
ASCII: "SQLite format 3\0"

Common locations:

Android:

SMS: mmssms.db
Contacts: contacts2.db
Call log: calllog.db

Browsers:

Firefox: places.sqlite
Chrome: History
Edge: History


# Validate recovered database
sqlite3 recovered.db "PRAGMA integrity_check;"

# Extract schema
sqlite3 recovered.db ".schema"

# Query data
sqlite3 -csv recovered.db "SELECT * FROM table;" > output.csv

📧 Email Database: PST/OST

PST Signature: 21 42 44 4E ("!BDN")

PST/OST Contains:

Email messages (sent/received)

Attachments

Contacts & Calendar

Deleted items (recoverable!)

🚨 High-value evidence dalam konteks kebocoran dokumen militer:
Communication records, timestamps, attachment metadata, deleted items

💽 SSD Recovery Challenges

TRIM Command: Memberi tahu SSD bahwa data blocks tidak lagi digunakan dan dapat di-erase secara internal

Impact pada recovery:

Storage Type	Recovery Rate	Why?
HDD Tradisional	90%	Data persists until overwritten
SSD Tanpa TRIM	70%	Some garbage collection
SSD Dengan TRIM	10%	Immediate data erasure

TRIM Process Flow

Step 1: User deletes file → File system marks space available

Step 2: OS sends TRIM command → SSD controller receives

Step 3: SSD marks blocks invalid → Queued for erasure

Step 4: Garbage Collection → Background process erases blocks

Result: Data PERMANENTLY ERASED - CANNOT be recovered!

⚠️ Recovery window pada SSD modern: Minutes to Hours (not days!)

Strategi Recovery pada SSD

Scenario: Laptop dengan SSD TRIM-enabled, file dihapus 3 jam lalu

Critical Actions

Power OFF immediately
Preserve volatile data
DO NOT reboot
DO NOT write to SSD

Recovery Attempts

Memory dump (RAM)
Forensic imaging
Signature carving
MFT analysis

Realistic expectation: 5-15% recovery chance dari SSD
Alternative sources: Volume Shadow Copies, cloud backup, email, temp files

🔧 Recovery dari Damaged Media

Tool of choice: ddrescue

Multi-pass Strategy

Phase 1: Quick forward (skip errors)
Phase 2: Reverse pass
Phase 3: Targeted retry (limited)
Phase 4: Verification

Expected Results

Best: 98-99% recovery
Typical: 95-97% recovery
Worst: 85-90% recovery


# Phase 1: Quick pass
ddrescue -f -n -v /dev/sdb evidence.img evidence.log

# Phase 2: Reverse
ddrescue -f -R -v /dev/sdb evidence.img evidence.log

# Phase 3: Limited retry
ddrescue -f -r 1 -v /dev/sdb evidence.img evidence.log

✅ Best Practices: Data Recovery

DO:
• Write-block source media
• Work on forensic images
• Document everything
• Verify with hash

DON'T:
• Write to source drive
• Skip documentation
• Retry excessively
• Delay imaging

For HDD:
• High recovery chance
• Use any carving tool
• Time not critical

For SSD:
• Act IMMEDIATELY
• Power off quickly
• Seek alternatives

🎖️ Konteks Investigasi Militer

Scenario: Suspected data exfiltration di Kodam, file dihapus dari laptop SSD

Investigation priorities:

Immediate seizure: Power off, preserve volatile data
Forensic imaging: Write-protected, multiple copies, hash
Recovery attempts: Carving tools, MFT analysis, manual hex
Alternative sources: Backups, email, network logs, recipients
Documentation: Chain of custody, detailed reporting

📊 Tool Selection Guide

Scenario	Recommended Tool	Why?
Quick recovery, GUI needed	Recuva	User-friendly, fast, preview
Cross-platform, no metadata needed	PhotoRec	Signature-based, 500+ formats
Large image (>100 GB)	Scalpel	Multi-threaded, 2-3x faster
Military investigation	Autopsy	Case management, documentation
Manual analysis needed	HxD	Hex editor, full control
Damaged media	ddrescue	Multi-pass, bad sector handling

📝 Quiz Time!

Mari uji pemahaman Anda tentang recovery data dan file carving!

3 soal multiple choice

Quiz 1

File berukuran 5,678 bytes disimpan pada sistem dengan cluster size 8 KB (8,192 bytes). Berapa besar slack space yang terbentuk?

A. 2,514 bytes

B. 3,072 bytes

C. 5,678 bytes

D. 8,192 bytes

✓ Jawaban: A. 2,514 bytes
Slack space = Cluster size - File size = 8,192 - 5,678 = 2,514 bytes

Quiz 2

Anda menemukan hex pattern berikut: FF D8 FF E0 00 10 4A 46 49 46. File type apa ini?

A. PNG Image

B. PDF Document

C. JPEG Image

D. ZIP Archive

✓ Jawaban: C. JPEG Image
FF D8 FF = JPEG SOI (Start of Image), 4A 46 49 46 = "JFIF"

Quiz 3

Laptop dengan SSD Samsung (TRIM enabled), file dihapus 3 jam lalu. Apa yang HARUS dilakukan PERTAMA?

A. Jalankan PhotoRec immediately

B. Power OFF laptop immediately

C. Check Recycle Bin dulu

D. Reboot ke Linux untuk recovery

✓ Jawaban: B. Power OFF laptop immediately
Mencegah garbage collection lebih lanjut. TRIM dengan 3 jam elapsed = recovery chance sangat rendah, tapi power off adalah prioritas #1.

📚 Ringkasan (1/2)

Konsep	Key Points
File Deletion	Data remains until overwritten; pointer dihapus, data tetap ada
Data Remnants	Unallocated space, slack space, free space, bad sectors
File Signatures	Magic bytes identify file types (JPEG: FF D8 FF, PNG: 89 50 4E 47)
File Carving	Extract files tanpa metadata: header/footer, size-based, statistical
Slack Space	RAM slack + File slack; dapat berisi data sensitif

📚 Ringkasan (2/2)

Tool/Concept	Application
Recuva	User-friendly, quick recovery, GUI-based
PhotoRec	Signature-based, 500+ formats, cross-platform
Scalpel	Large images, multi-threaded, 2-3x faster than Foremost
Autopsy	Case management, military investigations, documentation
SSD + TRIM	Recovery chance: 5-15%; Act immediately; Seek alternatives
ddrescue	Damaged media, multi-pass strategy, 95-99% recovery

💡 Key Takeaways

File deletion ≠ Data erasure: Data remains until overwritten
Signatures > Extensions: Always verify dengan magic bytes
Multiple tools strategy: Recuva → PhotoRec → Scalpel → Manual
SSD = Time critical: TRIM makes recovery window very short
Write-protection mandatory: NEVER write to source media
Documentation is evidence: Chain of custody, hash verification

🔧 Practical Tips

✓ Best Practices

Always work on images, not originals
Use write-blockers
Document every step
Calculate hashes
Create multiple copies
Test recovered files

✗ Common Mistakes

Saving to source drive
Running CHKDSK on evidence
Excessive retry on damaged media
Ignoring TRIM on SSD
Delaying acquisition
Poor documentation

📅 Pertemuan Berikutnya

Pertemuan 10: Forensik Jaringan

Topik yang akan dibahas:

Network forensics fundamentals
Packet capture dan analysis (Wireshark)
Traffic analysis dan anomaly detection
Network-based indicators of compromise
Intrusion detection dan log analysis
Malicious traffic identification

Persiapan: Install Wireshark, familiarize dengan network basics

📚 Referensi

Carrier, B. (2005). File System Forensic Analysis. Addison-Wesley. Chapter 12-14.
Casey, E. (2022). Digital Evidence and Computer Crime (4th ed.). Academic Press. Chapter 7.
Phillips, A., et al. (2022). Guide to Computer Forensics and Investigations (7th ed.). Cengage. Chapter 8.
Nikkel, B. (2021). Practical Forensic Imaging. No Starch Press. Chapter 8-10.
Wei, M., et al. (2011). "Reliably Erasing Data from Flash-Based SSDs." FAST.
Garfinkel, S. L. (2007). "Carving Contiguous and Fragmented Files." Digital Investigation.
Richard III, G. G., & Roussev, V. (2005). "Scalpel: A Frugal, High Performance File Carver." DFRWS.
Fairbanks, K., et al. (2012). "Forensic Implications of Solid State Drives." Journal of Digital Forensics.

❓ Tanya Jawab

Silakan ajukan pertanyaan Anda!

Terima Kasih

🔍 Forensik Digital untuk Keperluan Militer

Pertemuan 09: Teknik Recovery Data dan File Carving

Ada pertanyaan?