NTFS Directory Index Analysis for Computer Forensics

Cho, Gyu-Sang

doi:10.1109/imis.2015.68

Cited by 7 publications

(3 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…When the forensic tools scan the device for images this malicious file may not show as it is declared as a document. Cho (2016) found several tools that can be used to change the creation, last modified and recent timestamps for files on the OS. Once this change has been made the forensic tools would display the modified date and time to the analyst.…”

Section: Trail Obfuscationmentioning

confidence: 99%

Forensic Trails Obfuscation and Preservation via Hard Drive Firmware

Underhill

Oyinloye²,

Speakman³

et al. 2022

eccws

View full text Add to dashboard Cite

The hard disk drive stores data the user is creating, modifying, and deleting while a firmware facilitates communication between the drive and the operating system. The firmware tells the device and machine how to communicate with each other and will share useful information such as, disk size and information on any bad sectors. Current research shows that exploits exist that can manipulate these outputs. As an attacker, you can change the size of the disk displayed to the operating system to hide data in, likewise by marking an area of the disk as bad. Users may not be aware of these changes as the operating system will accept the readings from the firmware. However, although the data is not reachable via the operating system this paper looks at the traceability of manipulated data using data recovery software FTK Imager, Recuva, EaseUS and FEX Imager. This report examines the use of malicious techniques to thwart digital forensic procedures by manipulating the firmware. It is shown how this is possible and current forensic techniques or software does not easily detect a change within the firmware. However, with the use of various forensic tools, obfuscated trails are detectable. This report follows a black box testing methodology to show the validation of forensic tools or software against anti-forensic techniques. The analysis of the results showed that most tools can find the firmware changes, however, it requires an analyst to spot the subtle differences between standard and manipulated devices. The use of multiple software tools can help an analyst spot the inconsistencies.

show abstract

Section: Trail Obfuscationmentioning

confidence: 99%

Forensic Trails Obfuscation and Preservation via Hard Drive Firmware

Underhill

Oyinloye²,

Speakman³

et al. 2022

eccws

View full text Add to dashboard Cite

show abstract

“…Because most of the evidence that can be obtained during a digital forensic investigation is stored in file units, file system forensics is the most basic and important factor for forensic investigators. Various forensic methods, such as analysis of tree structure [1][2][3][4] and the recovery of deleted file data [5][6][7], have been studied to find important evidence in file systems. Among these file system forensic methods, the recovery of file system metadata is a key technique that makes digital forensic investigations possible by recovering metadata when it is not possible to obtain metadata in a regular manner because file system structure is damaged due to an accident/disaster or cyber terrorism [8][9].…”

Section: Introductionmentioning

confidence: 99%

Forensic Recovery of File System Metadata for Digital Forensic Investigation

Lee

Hwang

2022

IEEE Access

View full text Add to dashboard Cite

File system forensics is one of the most important elements in digital forensic investigations. To date, various file system forensic methods, such as analysis of tree structure and the recovery of deleted file data, have been studied. Among these file system forensic methods, the recovery of file system metadata is a key technique that makes digital forensic investigations possible by recovering metadata when it is not possible to obtain metadata in a regular manner because the file system structure is damaged due to an accident/disaster or cyber terrorism. Previous studies mainly focused on recovering record or entry data, which are the basic units of metadata, using carving techniques via a fixed values or values capable of range prediction at the beginning of the data. However, no studies have been conducted on metadata without such fixed values or values capable of range prediction. $LogFile, which is a metadata file of the New Technology File System (NTFS) that is one of the most used file systems at present, contains very important metadata that provide a history of all file system operations during a specific period. However, since there is no fixed value or a value capable of range prediction at the start position of the record, which is the basic unit of $LogFile, there have been no studies on recovery using record units, and only recovery by file and page have been possible. If the file header or page header of $LogFile is damaged, existing recovery methods cannot properly recover the metadata; in such cases, a record-level recovery method is required to recover the metadata. In this context, we investigated the mechanisms of record storage through a detailed analysis of the $LogFile structure and proposed a recovery method for records without fixed values. Our proposed method was implemented as a tool and verified through comparative experiments with existing forensic tools that recover $LogFile data. The experimental results showed that the proposed recovery method was able recover all the data that existing tools are unable to recover in situations where the $LogFile data were damaged. The implemented tools are released free of charge to contribute digital forensic community. Finally, we explained what important role $LogFile played in solving real-world cases and confirm the importance of recovering $LogFile data in situations where file systems may be damaged due to accidents and disasters.

show abstract

“…In other word, file systems do not remove data from storage media because it is time-consuming [14]. In this research, the structure of the NTFS file system has been studied because of the system spreads around the world and the desirability of many users [15,16]. The majority of the previous research is classified according to two categories: the first describes the structure of the NTFS file system, and the second type of research was as few as we mentioned.This work was found to provide a detail description of the structure of the NTFS file system, especially the master file table (MFT) structure [17], which is the heart of the NTFS file system and is the basis for file recovery for the target file system [18][19][20].…”

Section: Introductionmentioning

confidence: 99%

Comparison of data recovery techniques on master file table between Aho-Corasick and logical data recovery based on efficiency

Sahib¹,

Rahman²,

Al-Qaysi³

et al. 2021

TELKOMNIKA

View full text Add to dashboard Cite

Data recovery is one of the tools used to obtain digital forensics from various storage media that rely entirely on the file system used to organize files in these media. In this paper, two of the latest techniques of file recovery from file system (new technology file system (NTFS)) logical data recovery, Aho-Corasick data recovery were studied, examined and a practical comparison was made between these two techniques according to the speed and accuracy factors using three global datasets. It was noted that all previous studies in this field completely ignored the time criterion despite the importance of this standard. On the other hand, algorithms developed with other algorithms were not compared. The proposed comparison of this paper aims to detect the weaknesses and strength of both algorithms to develop a new algorithm that is more accurate and faster than both algorithms. The paper concluded that the logical algorithm was superior to the Aho-Corasick algorithm according to the speed criterion, whereas the algorithms gave the same results according to the accuracy criterion. The paper leads to a set of suggestions for future research aimed at achieving a highly efficient and high-speed data recovery algorithm such as the file-carving algorithm.

show abstract

NTFS Directory Index Analysis for Computer Forensics

Cited by 7 publications

References 0 publications

Forensic Trails Obfuscation and Preservation via Hard Drive Firmware

Forensic Trails Obfuscation and Preservation via Hard Drive Firmware

Forensic Recovery of File System Metadata for Digital Forensic Investigation

Comparison of data recovery techniques on master file table between Aho-Corasick and logical data recovery based on efficiency

Contact Info

Product

Resources

About