Reassembly and clustering bifragmented intertwined jpeg images using genetic algorithm and extreme learning machine

File carving tools are essential element of digital forensic investigation for recovering evidence data from computer disk drives. Today, JPEG image files are popular file formats that have less structured contents which make its carving possible in the absence of any file system metadata. However, completely recovering intertwined Bifragmented JPEG images into their original form without missing any parts or data of the image is a challenging due to the intertwined case might occur with non-JPEG images such as PDF, Text, Microsoft Office or random data. In this research, a new carving framework is presented in order to address the fragmentation issues that often occur in JPEG images which is called RX_myKarve. The RX_myKarve is an extended framework from X_myKarve, which consists of the following key components: (i) an Extreme Learning Machine (ELM) neural network for clusters classification using three existing content-based features extraction (Entropy, Byte Frequency Distribution (BFD) and Rate of Change (RoC)) to improve the identification of JPEG images content and support the reassembling process; (ii) a genetic algorithm with Coherence Euclidean Distance (CED) matric and cost function to reconstruct a JPEG image from a set of deformed and fragmented clusters in the scan area. The RX_myKarve is a framework that contains both structure-based carving and content-based carving approaches. The RX_myKarve is implemented as an Automatic JPEG Carver (AJC) tool in order to test and compare its performance with the state-of-the art carvers such as RevIt, myKarve and X_myKarve. It is applied to three datasets namely DFRWS (2006 and 2007) forensic challenges datasets and a new dataset to test and evaluate the AJC tool. These datasets have complex challenges that simulate particular fragmentation cases addressed in this research. The final results show that the AJC with the aid of the RX_myKarve framework outperform the X_myKarve, myKarve and RevIt. The RX_myKarve is able to completely carve 23.8% images more than X_myKarve, 45.4% images more than myKarve and 67% images more than RevIt in which AJC tool using RX_myKarve completely solves the research problem

Classification of JPEG files by using extreme learning machine

Recovery of data files when their system information missing is a challenging research issue. The recovery process entails methods that analyze the structure and contents of each individual file clusters. A primary and important process of files’ recovery is determining the files’ types including JPEG, DOC or HTML. This paper proposes an Extreme Learning Machine (ELM) algorithm to assign a class label of JPEG or Non-JPEG image for files in a continuous series of data clusters. The algorithm automatically classifies the files based on evaluation measures of three methods Entropy, Byte Frequency Distribution and Rate of Change. The ELM algorithm is applied to RABEI-2017 and DFRWS-2006 datasets. The experimental results show that the ELM algorithm is able to identify JPEG files of fragmented clusters with high accuracy rate. The classification accuracy of the RABEI-2017 dataset is 90.15 % and the DFRWS-2006 is 93.46%. The DFRWS-2006 has more classes than the RABEI-2017 which improves the ELM classifier fitting