Data Recovery Comparative Analysis using Open-based Forensic Tools Source on Linux

—Data recovery is one of the forensic techniques used to recover data that has been lost or deleted. Data recovery is carried out if there is a condition where the data that has been owned is deleted or damaged. If the data has been lost or deleted or even tampered with, then a forensic expert has several ways to restore data that has been lost or damaged. One of them is to use a complete data recovery method using forensic tools, namely, TSK Recover, FTK Imager, Foremost Recover, and Testdisk Recover. Unfortunately, tools such as FTK imager and TSK recover have a weakness, namely that some damaged or corrupted data files cannot be restored in their entirety; they can only be recovered but not be opened. This study uses a tool comparison method approach using foremost recover and Testdisk recover. It's just that this method cannot be used using the graphic user interface (GUI) but using the CLI (Command Line) in the LINUX operating system. And the files that have been recovered will be fully recovered.

INTRODUCTION Data loss is a condition where the data that has been owned becomes corrupted or deleted [1]. According to several researchers, there are many companies or individuals who accidentally delete their personal data. It is very important for digital forensic analysts to have the right tools to recover data [2]. All devices store a lot of important data and information that is always used for personal and corporate purposes. Forensic tools are used by thousands of digital forensic professionals. The functionality of forensic tools varies greatly [3].
Currently, there are many simple data recovery tools; several features have been provided consistently for more effective forensic extraction to get the whole data [4]. including image storage, file data hashing, data visualization, and data carving on damaged images. However, most of these tools are paid for [5]. Due to the limited inspection features, the extracted data cannot be ported directly to the circuit to extract additional evidence. In this study, I present several tools that will help forensic analysts perform open sourcebased data recovery on Linux [6].
Data recovery is the process of recovering a problematic or lost system so that it can be recovered as usual [7]. Data recovery is also a forensic technique that is often used to search for digital artifacts that have been lost or deleted from devices such as cellphones, computers, and laptops [8]. Data backup, which is a preventive measure that is intentionally done to protect data by copying or copying data to other storage media [9].
This study aims to determine the forensic tools that are useful today and in the future. To overcome the occurrence of data loss, a digital forensics expert is needed [10]. Data recovery is one of the techniques that must be mastered by digital forensic experts [11]. If there is data damage or data loss, then it is the job of a forensics officer to recover data that has been lost or damaged [12]. Several cases of data corruption or data loss are one of the challenges that digital forensics experts must face. There are several data recovery tools used by digital forensic experts, such as Autopsy, FTK imager, TSK recover, Foremost, and Testdisk [13].
In the case of previous research, many forensic experts use this tool as a tool to find evidence [14]. This tool is very helpful for recovering data that has been lost or damaged, but this tool has a certain weakness, when restoring data or data recovery, namely data that has been damaged can only be recovered but cannot be opened in its entirety, therefore the solution what is needed is a complete recovery, data that has been retrieved / damaged can be recovered and reopened the same as before. To overcome this problem, a forensic expert uses recovery tools in a storage [15].
Recovery of the data to be recovered is in the allocated space and unallocated space [16]. This space stores all files that are still available and can be read logically, and stores all files that are no longer available, even if they have been deleted from storage and cannot be read logically [17].
From some of the references found, it can be concluded that previous research related to the themes discussed included many case studies that used forensic tools and used several methods to recover lost data [18]. The data is stored in various storage devices such as flash drives, HDDs, SSDs, and RAM. The storage is on mobile devices, computers, and even servers. Data recovery methods also vary depending on the storage to be processed. One of them is using autopsy tools or other forensic tools [19]. This tool is very helpful for forensic experts to find lost data files, such as JPG, MP4, PDF, PNG, Doc, Zip, Rar files, and so on. It's just that this tool has certain weaknesses when it comes to data retrieval or data recovery. Data that has been damaged can only be recovered but cannot be opened in its entirety. Therefore, the solution needed is full www.ijacsa.thesai.org recovery. Data that has been lost or damaged can be recovered and reopened the same as before [20].
Efforts to provide data recovery solutions for handling digital evidence on a storage device such as a smartphone have been discussed by Wilson & Chi (2017) using digital forensic tools to make it easier to acquire data. The most important thing about recovering data is the recovery method because there are many ways to acquire and recover data [12].
However, there are several researchers who provide reviews of data recovery with different techniques and different devices, as discussed by Povar & Bhadran (2011). The carving technique is what is meant. This technique helps in finding hidden or deleted files from digital media or with the data acquisition technique that has been discussed by Jo et al. (2016) regarding data acquisition using forensic tools, namely Autopsy. This technique is very helpful for a forensic expert to collect data or evidence [21].
Several films and photographs in the form of corrupted or damaged JPG, MP4 and PNG files will be used as part of the data to help solve this issue. Additionally, it will be processed afterwards using a number of forensic programs, including Testdisk Recover, Foremost, and the Sleuth Kit Autopsy. These tools will receive this data and begin the recovery procedure [22]. The final step allows for a comparison of numerous efficient tools that can be used to carry out a complete recovery. Using digital forensic tools to aid data capture, Wilson & Chi outline efforts to provide data recovery solutions for digital evidence on a storage device like a smartphone. Since there are numerous ways to obtain and recover data, the recovery method is the most crucial factor [23]. Using a live forensics procedure with the Formost recovery program or Testdisk recover is the suggested solution for flawless data recovery. Data can be acquired with this tool from storage devices as HDD, SSD, FD, CD/DVD, zip, and rar [12].
This study compares the forensic tool settings that will be utilized to recover deleted or damaged data in the form of data file formats that will be used as evidence in cybercrime case resolution [24]. In this investigation, data recovery is carried out on Linux utilizing the live forensic method. The findings of this study should aid in our understanding of digital forensics, particularly with regard to data recovery [18].
A forensic technique applied while the system is operating is called live forensics. This is because when the system is switched off, the data that needs to be recovered can be lost. This live forensic technique is typically applied to memory scenarios where data can be written to or erased from-this type of memory is also known as volatile memory or nonvolatile memory [25].

II. RESEARCH METHOD
The procedures needed to conduct a study are known as the research technique. These procedures are taken so that a scientific process can be used to tackle the difficulties that develop by providing logical and systematic solutions, as shown in Fig. 1.

A. A Study of the Literature
In order to support the overall objective of this research, the purpose of this literature review is to gather information materials on research topics that can be sourced from articles, papers, journals, papers in the form of theories, research reports, or previous findings. We also visit several websites on the internet that is related to these theories about digital forensics, evidence, and recovery.

B. Tools for System Preparation
This is a step in creating the hardware and software specifications needed for research projects like planning and putting into practice a comparative examination of data recovery utilizing a flash drive. Such as setting up the system and installing software. The physical machine has Microsoft Windows 11 Home installed as its operating system. The employment of physical computer hardware and software as research tools and materials is necessary for the successful operation of the experimental implementation. The following tools and materials are employed in this process: This method is intended to read and copy data straight from the disk into the computer's memory without taking into account the underlying file system type. The method of file carving is used by Formost Recover to look for header file types that coincide with those in the formost configuration file. There are no alternatives for a graphical user interface, hence the command line interface is primarily used. The JPG, GIF, PNG, BMP, AVI, EXE, MPG, WAV, RIFF, WMV, MOV, PDF, PLE, DOC, ZIP, RAR, HTM, and CPP file formats can all be recovered using the first approach. Additional file types can be specified in the configuration file formost.conf, which is typically located in /usr/local/etc. It can be used to recover data from hard disks that use the ex3, NTFS, or FAT file systems as well as directly from picture files. In example, it can be used to retrieve data from a smartphone via a computer as shown in Fig. 2.

2) Testdisk Recover Forensic Method
A free and open-source utility called Testdisk is used to recover data from missing or deleted partitions. There is no user interface version of this utility; it is CLI driven. A digital forensics specialist can utilize this to restore partitions that are unable to boot due to things like virus attacks and, of course, purposeful or unintentional destruction of the partition table. This testdisk can also do a number of additional tasks, including: • Recover FAT32 boot sector from backup A forensic expert who is looking into a case involving data loss or corruption will find this Testdisk to be of great assistance. Fig. 3 depicts a sample of the Testdisk recover technique.

D. Recovery Method Workflow
Workflow recovery methods are phases or steps that digital examiners must go through when performing digital tasks, beginning with preparation, extraction, and analysis. As shown in Fig. 4.

• Preparation
By providing storage space for data that will be recovered and extracted, we set the stage.

• Extraction
This carries out file extraction by locating and restoring deleted files. The properties of the file structure, deleted data, file name, file size, and location will all be made known through file extraction.

• Analysis
It is in the process of analyzing the outcomes of filechecking. In order to assess or evaluate the success of data file extraction and can suggest the technologies that are best for file recovery in this investigation.

Preparation Extraction Analysis
Preparation of evidence and providing storage

Imaging file extraction
Analysis of files in recovery www.ijacsa.thesai.org

E. Data Recovery Comparative Analysis
Using forensic tools like TSK recover, Formost, and Testdisk recovery, the data recovery stage of comparative analysis was extracted. Damaged data files like JPG, PNG, and MP4 on flash drives, HDDs, SSDs, and other storage will be examined using a data file recovery approach utilizing a number of tools, which will then discover variations that impact data recovery on these tools so that they may be opened again. in full. Tables I and II show many tables that depict the outcomes of the recovery based on the findings of the forensic investigation.

A. Preparation
By providing storage space for the data that will be recovered and extracted, the preparation stage is prepared. In this study, we used flash storage that contained unopenable rar files containing JPG, PNG, and MP4 files. The tests and findings obtained have as their goal getting a full recovery file so you can compare the forensic tools utilized. Some of these files are hashed, as indicated in Tables III and IV, to demonstrate their validity in comparison to the findings of forensic analysis and recovery.

B. Extraction
File extraction will also expose the characteristics of the file structure, deleted data, file name, file stamps, file size, and location during the extraction stage, which is to extract files by locating and recovering deleted files. The tools that aid in the extraction process run on Linux and use Guysmager using the tools TestDisk and Foremost for data recovery.
Another independent acquisition tool that may be used to clone disks and make forensic pictures is Guymager. Guymager, created by Guy Voncken, is entirely open source, only works on Linux-based hosts, and shares many of the same capabilities as DCLDD. Guymager, the forensic imager included in this package, is made to operate quickly, support a variety of image file types, and be extremely user-friendly. It leverages parallel compression in its high-speed multithreaded engine to maximize performance on multi-processor and hyper-threading engines. It is shown in Fig. 5.

1) Recovery Process
The recovery step involves a data recovery procedure using a number of programs for comparison, including TestDisk Recovery, TSK Recovery, FTK Imager, and Foremost. After that, the recovery process will use the extracted files. One of the Linux CLI-based tools for data recovery is the TSK recover utility. There are some JPG files that cannot be accessed, as illustrated in Fig. 6; however the recovery procedure utilizing the TSK recover tool was successfully recovered. This utility is frequently used to restore erased data. However, it is clear that allocated and unallocated files differ throughout the recovery step. As seen in Fig. 7, it is a file that can be recovered but cannot be opened. The Foremost Recovery Tool is a program created to read and copy certain areas of the disk straight into the computer's memory while ignoring the underlying file system type. For the majority of recovers, it employs a technique called file carving to search for header file types that coincide with those contained in the primary configuration file. The best recovery tool for JPG files has been used to successfully recover all of the files. It is shown in Fig. 8. Data can be recovered from lost or deleted partitions using the free and open-source Testdisk recover utility. A digital forensics specialist can restore partitions that are unable to boot due to reasons including malware attacks and purposeful or unintentional loss of the partition table using this CLI-based application, which does not have a user interface version. Fig. 9 illustrates how the recovery procedure using the Testdisk recover program was successful in restoring lost and damaged files.

C. Analysis
The analysis step is where the outcomes of the files that have been checked are examined. A comparison of the data recovery tools, when situations like missing or damaged files arise, you must use the resources at your disposal to find a solution. You must experiment with all of the forensic tools, not just one. It makes sense that certain tools are unable to recover files perfectly while others are successful in doing so, as in this study is shown by Tables V and VI. www.ijacsa.thesai.org A sort of file storage known as allocated space is still accessible, and the files contained therein can still be read logically. All files in the designated space can be fully recovered after conducting research with the aforementioned instruments. Files that are no longer accessible or have been erased and cannot be read logically are stored in unallocated space. Not all files have been totally and flawlessly retrieved after utilizing the following utility to do research on data files in unallocated space

IV. CONCLUSION
Based on the results of research on the comparison of data recovery using open source-based tools on Linux, the results of the comparison of these tools with previous research are very different. Due to the limited features available in open source forensic tools like the TSK recover tool and FTK Imager; it makes investigators hard to get valid evidence. It can be concluded that among these tools there are those that can recover data files that have been damaged and can be reopened in their entirety and some are not. One of the open source based tools that can be used is foremost recover and Testdisk recover. This tool is a solution to the problem of recovery. Of the tools that have been tested, only 50% have been fully recovered. Namely, TSK recover and FTK imager. While the foremost tool, Testdisk, can recover 100% completely. However, tools that can't recover completely don't mean they're not good. These tools are still recommended and can be used to assist investigators in the investigation process. Investigators can have several options for forensic tools to carry out the investigative process. This study aims to determine the forensic tools that are useful today and in the future.