Browse > Article
http://dx.doi.org/10.22156/CS4SMB.2020.10.05.023

Analyzing Past User History through Recovering Deleted $UsnJrnl file  

Kim, Dong-Geon (Department of Electrical and Semiconductor Engineering, Chungbuk National University)
Park, Seok-Hyeon (Department of Computer Science, Chungbuk National University)
Jo, Ohyun (Department of Computer Science, Chungbuk National University)
Publication Information
Journal of Convergence for Information Technology / v.10, no.5, 2020 , pp. 23-29 More about this Journal
Abstract
These days, digital forensic technologies are being used frequently at crime scenes. There are various electronic devices at the scene of the crime, and digital forensic results of these devices are used as important evidence. In particular, the user's action and the time when the action took place are critical. But there are many limitations for use in real forensics analyses because of the short cycle in which user actions are recorded. This paper proposed an efficient method for recovering deleted user behavior records and applying them to forensics investigations, then the proposed method is compared with previous methods. Although there are difference in recovery result depending on the storage, the results have been identified that the amount of user history data is increased from a minimum of 6% to a maximum of 539% when recovered user behavior was utilized to forensics investigation.
Keywords
Digital Forensic; $STANDARD_INFORMATION; NTFS FileSystem; $LogFile; $UsnJrnl; File Recovery;
Citations & Related Records
연도 인용수 순위
  • Reference
1 H. Carvey. (2013). HowTo: Determine User Access To Files. http://windowsir.blogspot.kr/2013/07/howto-determine-user-access-to-files.html
2 D. Y. Won. (2015). A Study on Digital Evidence Collection Procedures Improvement. Journal of Digital Forensics, 9(2), 27-41.   DOI
3 G. Palmer. (2001). A Road Map for Digital Forensic Research. technical report DTR-T001-0, Utica, New York
4 C. Boyd & P. Forster. (2004). Time and Date issues in forensic computing - a case study. Digital Investigation, 1(1), 18-23.   DOI
5 B. Carrier. (2005). File System Forensic Analysis. Addison-Wesley, 340-341.
6 R. Russon & Y. Fledel. (2004). NTFS Documentation, Chapter 3. NTFS files:$LogFile, pp. 38-42. http://dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pdf
7 S. Neuner et al. (2016). Time is on my side: Stegan graphy in filesystem metadata. Digital Investigation, 18(2016), S76-S86.   DOI
8 H. J Yoon. (2018). A study on user behavior trackingusing $UsnJrnl. Doctoral dissertation, Graduate School of Seoul National University.
9 J. H. Oh. (2013). NTFS Log Tracker. Forensic Insight ; Digitalforensic community in korea.
10 M. S. Park. (2012). Record File Carving Technique for Efficient File Recovery in Digital Forensic Investigation. Graduate School of Information Security Korea University.