• Journal of the Korea Institute of Information and Communication Engineering
• /
• v.19 no.1
• /
• pp.136-140
• /
• 2015

Linux environment that is commonly used at embedded systems supports various file systems as Ext2, FAT, NTFS, etc. The file system that is equiped on the embedded system is mostly implemented on mini hard disk or flash memory. The types of the file system of the system make an effect on the performance of a application programs. The factors of file system performance on a same media are block read, block write and block free time. On these factors, block read and block free time are not so different according to the type of file systems. This paper evaluates the performance benchmark of file systems supported by linux about block allocation and write performance. The results obtained from various experiments shows the characteristics of each file system.

• The Journal of the Korea Contents Association
• /
• v.10 no.5
• /
• pp.52-61
• /
• 2010

In recent, the interests of multi-user systems have been increased. Multi-user systems allow a number of users to access the system simultaneously. Security is one of the key issues to be addressed in a multi-user environment. We propose a solution based on the NTFS file system that provides the personal data security and considers the convenience of users. The system increases the convenience of users by simplifying the complexity of the security setting on NTFS. We also propose a variety of policies that prevent from the conflicts incurring when different users set up the personal folders simultaneously and do not set up the important folders such as the window system folders as personal folders. In addition, our system supports the function of setting up the prohibition folder lists so that no one can not set the folder to their personal folders.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.20 no.3
• /
• pp.79-91
• /
• 2010

In digital forensics, the creation time, last modified time, and last accessed time of a file or folder are important factors that can indicate events that have affected a computer system. The form of the time information varies with the file system, depending on the user's actions such as copy, transfer, or network transport of files. Specific changes of the time information may be of considerable help in analyzing the user's actions in the computer system. This paper analyzes changes in the time information of files and folders for different operations of the NTFS and attempts to reconstruct the user's actions.

• Convergence Security Journal
• /
• v.7 no.3
• /
• pp.95-100
• /
• 2007

Alternate Data Streams (ADS) in NTFS originally has developed to provide compatibility with Macintosh Hierarchical File System. However, it is being used by the malware writers in order to support hiding malwares or data for the purpose of anti-forensics. Therefore identifying if hidden ADSs exist and extracting them became one of the most important component in computer forensics. This paper proposes a method to detect ADSs using MFT information. Experiment reveals that proposed method is better in performance and detection rate then others. This method supports not only identification of ADSs which are being used by the operating systems but also investigation of both live systems and evidence images. Therefore it is appropriate for using forensic purpose.

• Journal of the Korea Institute of Information Security & Cryptology
• /
• v.24 no.5
• /
• pp.885-896
• /
• 2014

The files in computer storages can be deleted due to unexpected failures or accidents. Some malicious users often delete data by himself for anti-forensics. If deleted files are associated with crimes or important documents in business, they should be recovered and the recovery tool is necessary. The recovery methods and tools for some filesystems such as NTFS, FAT, and EXT have been developed actively. However, there has not been any researches for recovering deleted files in XFS filesystem applied to NAS or CCTV. In addition, since the current related tools are based on the traditional signature detection methods, they have low recovery rates. Therefore, this paper suggests the recovery methods for deleted files based on metadata and signature detection in XFS filesystem, and verifies the results by conducting experiment in real environment.

• Proceedings of the Korea Information Processing Society Conference
• /
• 2012.11a
• /
• pp.1108-1110
• /
• 2012

파일 시스템은 컴퓨터에서 파일이나 자료를 쉽게 발견 및 접근할 수 있도록 보관 또는 조직하는 체제를 가리키는 말이다. 기존에는 Windows에 사용되는 FAT(File Allocation Table) 파일 시스템과 NTFS(New Technology File System), Unix/Linux 등에서 주로 활용되는 ext계열 파일 시스템 등이 주된 분석 대상이었으나 스마트폰과 태블릿 PC, NAS(Network Attached Storage) 서버 등 다양한 IT기기가 보급되면서 이들 기기에서 사용되는 파일시스템을 추가적인 분석이 필요하다. 따라서 본 논문에서는 추가적으로 분석해야할 파일 시스템의 종류를 나열하고 각각의 특성을 서술하여 향후 추가 분석의 지침으로 활용하고자한다.

• Review of KIISC
• /
• v.29 no.6
• /
• pp.13-22
• /
• 2019

기존의 NTFS, HFS+, Ext4와 같은 전통적인 파일시스템들은 디스크 사용, 공간 관리, 데이터 암호화 등 여러 측면에서 한계점을 가지고 있었다. 특히 디스크 사용 측면에서 기본적으로 단일 디스크 안에서 동작하도록 설계되었기 때문에 여러 개의 디스크에서 동작하도록 하려면 RAID와 같은 별도의 구성이 필요했다. 이에 따라 주요 운영체제들은 위와 같은 기존 파일시스템들의 한계점들을 극복하도록 설계된 Pooled Storage 파일시스템들을 공개하였다. Pooled Storage 파일시스템에 관한 연구는 2017년 여름 미국 오스틴에서 열린 DFRWS 학회에서 독일의 Jan-Niclas Hilgert에 의해 발표된 이후 디지털 포렌식 학계 및 산업계에서 집중적인 연구개발이 진행되고 있다. 2017년 Hilgert는 ZFS 파일시스템에 대한 분석기능을 공개소프트웨어인 SleuthKit에 추가한 기술을 발표하였고, 2018년 DFRWS에서는 BtrFS 파일시스템에 대한 분석기능을 공개하였다. BlackBag Technologies의 Joe Syle은 APFS 파일시스템에 대한 분석기능을 SleuthKit에 추가한 결과를 DFRWS 2018에서 발표하였다. 노르웨이의 Rune Nordvik은 2019년 DFRWS에서 REFS를 역공학을 통하여 분석한 결과를 공개하였다. 국내에서는 고려대학교를 중심으로 ReFS에 대한 연구가 진행 중이다. 본 논문에서는 주요 운영체제들이 공개한 Pooled Storage 파일시스템 형태의 차세대 파일시스템인 ReFS, APFS, BtrFS를 소개하고 각 파일시스템의 특징과 주요 기능들을 설명한다.

• Convergence Security Journal
• /
• v.8 no.4
• /
• pp.65-71
• /
• 2008

According to the capacity of hard disk drive is increasing day by day, the amount of data that forensic investigators should analyze is also increasing. This trend need tremendous time and effort in determining which files are important as evidence on computers. Using the file system APIs provided by Windows system is the easy way to identify those files. This method, however, requires a large amount of time as the number of files increase and changes the access time of files. Moreover, some files cannot be accessed due to the use of operating system. To resolve these problems, forensic analysis should be conducted by using the Master File Table (MFT). In this paper, We implement the file access program which interprets the MFT information in NTFS file system. We also extensibly compare the program with the previous method. Experimental results show that the presented program reduces the file access time then others. As a result, The file access method using MFT information is forensically sound and also alleviates the investigation time.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.11 no.2
• /
• pp.73-90
• /
• 2015

When we apply file commands on files in a directory, the directory as well as the file suffer changes in timestamps of MFT entry. Based on understanding of these changes, this work provides a digital forensic analysis on the timestamp changes of the directory influenced by execution of file commands. NTFS utilizes B-tree indexing structure for managing efficient storage of a huge number of files and fast lookups, which changes an index tree of the directory index when files are operated by commands. From a digital forensic point of view, we try to understand behaviors of the B-tree indexes and are looking for traces of files to collect information. But it is not easy to analyze the directory index entry when the file commands are executed. And researches on a digital forensic about NTFS directory and B-tree indexing are comparatively rare. Focusing on the fact, we present, in this paper, directory timestamp changes after executing file commands including a creation, a copy, a deletion etc are analyzed and a method for finding forensic evidences of a deletion of directory containing files. With some cases, i.e. examples of file copy and file deletion command, analyses on the problem of timestamp changes of the directory are given and the problem of finding evidences of a deletion of directory containging files are shown.

• Journal of Korea Society of Digital Industry and Information Management
• /
• v.16 no.2
• /
• pp.11-25
• /
• 2020

This study proposes a method to manipulate fragmentation of disks by arbitrarily allocating and releasing the status of a disk cluster in the NTFS file system. This method allows experiments to be performed in several studies related to fragmentation problems on disk cluster. Typical applicable research examples include testing the performance of disk defragmentation tools according to the state of fragmentation, establishing an experimental environment for fragmented file carving methods for digital forensics, setting up cluster fragmentation for testing the robustness of data hiding methods within directory indexes, and testing the file system's disk allocation methods according to the various version of Windows. This method suggests how a single file occupies a cluster and presents an algorithm with a flowchart. It raises three tricky problems to solve the method, and we propose solutions to the problems. Experiments for allocating the disk cluster to be fragmented to the maximum extent possible, it then performs a disk defragmentation experiment to prove the proposed method is effective.