Digital forensics can no longer tolerate software that cannot be relied upon to perform specific functions such as file recovery. Indistinct and non-standardized results increase the risk of misinterpretation by digital forensic practitioners, and hinder automated correlation of file recovery results in forensic analysis and tool testing. Treating file recovery results in a clear, distinct manner helps reduce the risk of misunderstandings, incorrect assertions and, ultimately, miscarriages of justice. The root of this problem is a lack of clearly defined software requirements, which compels users and tool testers to make educated guesses and assumptions about how digital forensic tools work. To address this problem, this work applies the core forensic processes of classification, authentication and evaluation to file recovery. Specifically, this work defines a vocabulary for software developers, testers and practitioners to classify, authenticate, evaluate and present results of file recovery operations. This vocabulary can be used by software developers to normalize how file recovery is treated, improving clarity, testability and interoperability of results, and reducing the risk or mistakes in digital investigations. This work also proposes an inaugural set of requirements for applying this vocabulary to file recovery results, providing a foundation for further development by the digital forensic community. This work demonstrates how this vocabulary can be implemented using DFXML, and presents a normalized representation of file recovery results using the Cyber-investigation Analysis Standard Expression (CASE). To demonstrate the more generalized utility of this vocabulary, it is applied to recovery results from versioning file systems and SQLite databases. The formalized vocabulary and forensic methods developed in this work support tool validation as called for in the international standard ISO/IEC 27041 and required for accreditation under the international standard ISO 17025. This work also demonstrates how the European Network of Forensic Science Institutes (ENFSI) Guideline for Evaluative Reporting can be applied to express the results of file recovery classification, authentication and evaluation.

数字取证不再能容忍不能依靠其执行特定功能（例如文件恢复）的软件。模糊和不标准化的结果增加了数字法医从业人员误解的风险，并阻碍了法医分析和工具测试中文件恢复结果的自动关联。以清晰，独特的方式对待文件恢复结果，有助于减少误解，错误主张和最终导致误判的风险。此问题的根源在于缺乏明确定义的软件要求，这迫使用户和工具测试人员对数字取证工具的工作方式进行有根据的猜测和假设。为了解决这个问题，这项工作将分类，身份验证和评估的核心取证过程应用于文件恢复。特别，这项工作为软件开发人员，测试人员和从业人员定义了分类，认证，评估和显示文件恢复操作结果的词汇。软件开发人员可以使用此词汇表来规范文件恢复的处理方式，提高结果的清晰度，可测试性和互操作性，并减少数字调查中的风险或错误。这项工作还提出了一套将这些词汇应用于文件恢复结果的要求，这为数字法证界的进一步发展奠定了基础。这项工作演示了如何使用DFXML来实现此词汇表，并使用网络调查分析标准表达（CASE）来表示文件恢复结果的规范化表示。为了展示该词汇表的更广泛的用途，它应用于版本控制文件系统和SQLite数据库的恢复结果。此工作中开发的形式化词汇和取证方法支持国际标准ISO / IEC 27041所要求的工具验证，并且符合国际标准ISO 17025的认证要求。此项工作还演示了欧洲法医科学研究所网络（ENFSI）评估报告指南可用于表达文件恢复分类，身份验证和评估的结果。