Analysis of Forensic Tools for Recovery of Formatted Data: a case study with Microsoft Word files

Deleting or formatting files to hide a crime can be considered a frustrating action, given the ease of using forensic software that implements data carving techniques. This research aims to evaluate the accuracy of forensic data carving software when subjected to recovering formatted Microsoft Word files. The software chosen is widely used in the field and has been featured in scientific papers: Foremost, Scalpel, Recurva, PhotoRec, Autopsy and Magic Rescue. The metrics analyzed were: software execution time, number and size of files recovered, number of false positives and true positives generated in three test scenarios. Validation took place by comparing the resulting files with the originals using a hash algorithm. To structure the test scenarios, a dataset was built with 16,000 copies of files of various lengths. In each scenario, the number of files and the requirements that the software was subjected to varied, with only doc or docx files being recovered. Of the software analyzed, Recuva, Autopsy and PhotoRec had the highest percentages of true positives (>90%) in all the scenarios evaluated. As for false positives, Recuva performed better than the others, with approximately 1%.