Recovery of heavily fragmented JPEG files

File carving from damaged file system plays an important role in file recovery for identifying evidence in digital forensics. In this paper, we focus on JPEG file carving, with an emphasis on heavily fragmented cases. The difficulty lies on how to order fragmented pieces into a complete picture without sufficient decoding information. We provide a framework to tackle this problem, which consists of the following key components: (i) a new similarity metric (CED) to evaluate if two data blocks are consecutive in the same JPEG file and a fragmentation point detection algorithm based on CED; and (ii) an overall recovery algorithm to reconstruct the JPEG file from fragmented pieces. The proposed framework was verified on an image dump from a SD card of a digital camera. The results were compared to Adroit Photo Forensic (APF), a commonly used photo carving tool. In our experiments, our tool can automatically recover 97% fragmented JPEG files (versus 79% by APF). (C) 2016 The Author(s). Published by Elsevier Ltd.