Browse > Article
http://dx.doi.org/10.17662/ksdim.2015.11.2.073

A Digital Forensic Analysis for Directory in Windows File System  

Cho, Gyusang (동양대학교 컴퓨터정보전학과)
Publication Information
Journal of Korea Society of Digital Industry and Information Management / v.11, no.2, 2015 , pp. 73-90 More about this Journal
Abstract
When we apply file commands on files in a directory, the directory as well as the file suffer changes in timestamps of MFT entry. Based on understanding of these changes, this work provides a digital forensic analysis on the timestamp changes of the directory influenced by execution of file commands. NTFS utilizes B-tree indexing structure for managing efficient storage of a huge number of files and fast lookups, which changes an index tree of the directory index when files are operated by commands. From a digital forensic point of view, we try to understand behaviors of the B-tree indexes and are looking for traces of files to collect information. But it is not easy to analyze the directory index entry when the file commands are executed. And researches on a digital forensic about NTFS directory and B-tree indexing are comparatively rare. Focusing on the fact, we present, in this paper, directory timestamp changes after executing file commands including a creation, a copy, a deletion etc are analyzed and a method for finding forensic evidences of a deletion of directory containing files. With some cases, i.e. examples of file copy and file deletion command, analyses on the problem of timestamp changes of the directory are given and the problem of finding evidences of a deletion of directory containging files are shown.
Keywords
Timestamp; Direcotory; Digital Forensics; NTFS; Windows; B-tree;
Citations & Related Records
Times Cited By KSCI : 2  (Citation Analysis)
연도 인용수 순위
1 Wikipedia. org, "NTFS - Features - Scalability," http://en.wikipedia.org/wiki/NTFS#Features
2 B. Carrier, File System Forensic Analysis, Addison-Wesley, 2005, pp. 273-396.
3 Wikipedia, "B-tree," http://en.wikipedia.org/wiki/B-tree.
4 Microsoft TechNet, "How NTFS Works," https://technet.microsoft.com/en-us/library/cc781134(v=ws.10).aspx.
5 William Ballenthin, "NTFS INDX Attribute Parsing," http://www.williballenthin.com/forensics/indx/index.html.
6 Chad Tilbury, "NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files," SANS Digital Forensics and Incident Response Blog, http://digital-forensics.sans.org.
7 William Ballenthin and Jeff Hamm, "Incident Response with NTFS INDX Buffers - Parts 1, 2, 3 and 4," https://www.mandiant.com/blog/author/willi-ballenthin/
8 Microsoft MSDN, "Naming Files, Paths, and Namespace-Short vs. Long Names," http://msdn.microsoft.com.
9 Sameer H. Mahant and B. B. Meshram, "NTFS Deleted Files Recovery: Forensics View," IRACST(- International Journal of Computer Science and Information Technology & Security (IJCSITS), Vol. 2, No. 3, 2012, pp. 491-497.
10 Ewa Huebner, Derek Bem and Cheong Kai Wee, "Data hiding in the NTFS file system," Digital Investigation, Vol. 3, Issue 4, 2006, pp. 211-226.   DOI   ScienceOn
11 Christopher Lees, "Determining removal of forensic artefacts using the USN change journalOriginal," Digital Investigation, Vol. 10, Issue 4, 2013, pp. 300-310.   DOI   ScienceOn
12 김태한, 조규상, "NTFS 파일 시스템의 저널 파일을 이용한 파일 생성에 대한 디지털 포렌식 방법," 디지털산업정보학회 논문지, 6권, 2호, 2010, pp. 107-118.
13 Gyu-Sang Cho, "A computer forensic method for detecting timestamp forgery in NTFS," Computers & Security, Vol. 34, 2013, pp. 36-46.   DOI   ScienceOn
14 조규상, "타임스탬프 변화패턴을 근거로 한 평가 함수에 의한 디지털 포렌식 방법," 디지털산업정보학회 논문지, 10권 2호, 2014, pp. 91-105.
15 Gyu-Sang Cho, "NTFS Directory Index Analysis for Computer Forensics," IMIS 2015(the 9-th Int. Conf. on Innovative Mobile and Internet Services in Ubiquitous Computing), July 8th-10th, Blumenau Brazil, 2015.
16 Jonathan Grier, "Detecting data theft using stochastic forensics," Digital Investigation, Vol. 8, 2011, pp. S-71-77.   DOI   ScienceOn