Browse > Article
http://dx.doi.org/10.17662/ksdim.2010.6.2.107

A Digital Forensic Method for File Creation using Journal File of NTFS File System  

Kim, Tae Han (동양대학교 대학원 컴퓨터공학과)
Cho, Gyu Sang (동양대학교 컴퓨터정보전학과)
Publication Information
Journal of Korea Society of Digital Industry and Information Management / v.6, no.2, 2010 , pp. 107-118 More about this Journal
Abstract
This paper proposes a digital forensic method to a file creation transaction using a journal file($LogFile) on NTFS File System. The journal file contains lots of information which can help recovering the file system when system failure happens, so knowledge of the structure is very helpful for a forensic analysis. The structure of the journal file, however, is not officially opened. We find out the journal file structure with analyzing the structure of log records by using reverse engineering. We show the digital forensic procedure extracting information from the log records of a sample file created on a NTFS volume. The related log records are as follows: bitmap and segment allocation information of MFT entry, index entry allocation information, resident value update information($FILE_NAME, $STANDARD_INFORMATION, and INDEX_ALLOCATION attribute etc.).
Keywords
Digital Forensics; NTFS Journaling; $LogFile; NTFS File System;
Citations & Related Records
연도 인용수 순위
  • Reference
1 FAT, HPFS 및 NTFS 파일 시스템의 개요, http://support.microsoft.com/kb/100108/ko/
2 김태석(역), "임베디드 리눅스 시스템 구축하기," 한빛미디어, 2004, p. 313.
3 Pramada Singireddy, "Recoverability Support in NT File System(NTFS)," http://eas.asu.edu/-cse532/
4 조규상, "컴퓨터 포렌식을 위한 NTFS 저널 파일의 분석," 디지털 포렌식 연구, Vol. 3, No. 1, 2009, pp. 51-60.
5 조규상.김태한, "컴퓨터 포렌식에 사용하기 위한 NTFS $LogFile의 로그 레코드 데이터 구조 분석," ICS'2000 정보 및 제어심포지엄 논문집, 2010, pp. 230-231.
6 김태한.조규상, "NTFS $LoFile에서 상주 속성 파일의 컴퓨터 포렌식," ICS'2000정보및제어심포지엄 논문집, 2010, pp. 69-70.
7 정준석.정원용, "임베디드 개발자를 위한 파일시스템의 원리와 실습," 한빛미디어, 2006, pp. 274-275.
8 Mark E. Russinovich, David A. Solomon, "WINDOWS INTERNALS," 2006, pp. 995-1000.
9 NTFS Recovery Support, http://codeidol.com/other/inside-windows-2000/File-Systems/NTFS-Re covery-Support/
10 Priscilla Oppenheimer, "New Technologies File System(NTFS)," 2008.
11 B. Carrier, File System Forensic Analysis, Addison-Wesley, 2005, pp. 340-341.
12 K. Dreher, "NTFS", Master Thesis of Department of Information Technology Institute of Technology, Lund, Nov., Sweden, 1998.