Generic Metadata Time Carving

Nordvik, Rune; Porter, Kyle; Toolan, Fergus; Axelsson, Stefán; Franke, Katrin

doi:10.1016/j.fsidi.2020.301005

Cited by 2 publications

(3 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Nordvik [20] performed a study to recover metadata using the characteristics of timestamps included in the metadata of each file system. The recovery method looked for corresponding patterns using a feature in which the timestamp of the same value was continuously stored, and then carving of the metadata including the pattern was performed.…”

Section: Recovery Of Timestampmentioning

confidence: 99%

Forensic Recovery of File System Metadata for Digital Forensic Investigation

Lee

Hwang

2022

IEEE Access

View full text Add to dashboard Cite

File system forensics is one of the most important elements in digital forensic investigations. To date, various file system forensic methods, such as analysis of tree structure and the recovery of deleted file data, have been studied. Among these file system forensic methods, the recovery of file system metadata is a key technique that makes digital forensic investigations possible by recovering metadata when it is not possible to obtain metadata in a regular manner because the file system structure is damaged due to an accident/disaster or cyber terrorism. Previous studies mainly focused on recovering record or entry data, which are the basic units of metadata, using carving techniques via a fixed values or values capable of range prediction at the beginning of the data. However, no studies have been conducted on metadata without such fixed values or values capable of range prediction. $LogFile, which is a metadata file of the New Technology File System (NTFS) that is one of the most used file systems at present, contains very important metadata that provide a history of all file system operations during a specific period. However, since there is no fixed value or a value capable of range prediction at the start position of the record, which is the basic unit of $LogFile, there have been no studies on recovery using record units, and only recovery by file and page have been possible. If the file header or page header of $LogFile is damaged, existing recovery methods cannot properly recover the metadata; in such cases, a record-level recovery method is required to recover the metadata. In this context, we investigated the mechanisms of record storage through a detailed analysis of the $LogFile structure and proposed a recovery method for records without fixed values. Our proposed method was implemented as a tool and verified through comparative experiments with existing forensic tools that recover $LogFile data. The experimental results showed that the proposed recovery method was able recover all the data that existing tools are unable to recover in situations where the $LogFile data were damaged. The implemented tools are released free of charge to contribute digital forensic community. Finally, we explained what important role $LogFile played in solving real-world cases and confirm the importance of recovering $LogFile data in situations where file systems may be damaged due to accidents and disasters.

show abstract

Section: Recovery Of Timestampmentioning

confidence: 99%

Forensic Recovery of File System Metadata for Digital Forensic Investigation

Lee

Hwang

2022

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Regarding the situation that little effort was put forth toward the recovery of binary executable files, Hand et al (2012), for the first time, provided a solution that leverages the combination of both road map information defined in executable file headers and explicit control flow paths within the binary code. Nordvik et al (2020) argued that existing CRF methods do not consider how to recover file-related metadata, which, such as timestamps, have greater value for complete forensics. For this reason, they proposed a generic timestamp metadata carving method for the first time.…”

Section: Research On File Recoverymentioning

confidence: 99%

“…Different from MFR, CFR does not rely on metadata. It leverages syntactic signatures (e.g., file header-footer pairs) (Tang et al, 2016), semantic structures (e.g., explicit control flow paths within a binary executable) (Hand et al, 2012), heuristic technologies (Garfinkel & McCarrin, 2015;Gladyshev & James, 2017;Pal et al, 2008), timestamps (Nordvik et al, 2020;Portera et al, 2021) or deep learning technologies (Heo et al, 2019;Mohammad & Alqahtani, 2019) to restore files. Unlike MFR, which can precisely recover a file under the "direct guidance" of metadata, CFR "indirectly infers" which data blocks belong to the file to be recovered.…”

Section: Introductionmentioning

confidence: 99%

Golden Eye

Zhang

Chen

Zhu

2022

International Journal of Digital Crime and Forensics

View full text Add to dashboard Cite

File systems are important sources of intelligence information and digital evidence. They have long attracted the interest of researchers in recovering files that are deleted from a hard disk. Existing file recovery studies rely heavily on an operating system (OS). However, it is often encountered that OS services are not available, making existing file recovery approaches unusable. To address this issue, the authors design and implement an OS-independent file recovery algorithm named Golden Eye (GE) by targeting the EXT4 file system. Fed the raw image obtained from a (sanitized) hard disk, GE can automatically recover any designated file or even the whole EXT4 file system. GE is based on the understanding of the file disk layout of EXT4 and does not need any support from additional hardware or software. Experimental results prove the feasibility and correctness of GE. This work not only solves the OS dependency problem that most existing file recovery work suffers from but also reveals the fact that even sanitized hard disks are still at risk of leaking sensitive data.

show abstract

Generic Metadata Time Carving

Cited by 2 publications

References 8 publications

Forensic Recovery of File System Metadata for Digital Forensic Investigation

Forensic Recovery of File System Metadata for Digital Forensic Investigation

Golden Eye

Contact Info

Product

Resources

About