Using NTFS Cluster Allocation Behavior to Find the Location of User Data
2019 (English)In: Digital Investigation. The International Journal of Digital Forensics and Incident Response, ISSN 1742-2876, E-ISSN 1873-202X, Vol. 29, no Supplement, p. S51-S60Article in journal (Refereed) Published
Abstract [en]
Digital forensics is heavily affected by the large and increasing amount of data to be processed. To solve the problem there is ongoing research to find more efficient carving algorithms, use parallel processing in the cloud, and reduce the amount of data by filtering uninteresting files. Our approach builds on the principle of searching where it is more probable to find what you are looking for. We therefore have empirically studied the behavior of the cluster allocation algorithm(s) in the New Technology File System (NTFS) to see where new data is actually placed on disk. The experiment consisted of randomly writing, increasing, reducing and deleting files in 32 newly installed Windows 7, 8, 8.1 and 10 virtual computers using VirtualBox. The result show that data are (as expected) more frequently allocated closer to the middle of the disk. Hence that area should be getting higher attention during a digital forensic investigation of a NTFS formatted hard disk. Knowledge of the probable position of user data can be used by a forensic investigator to prioritize relevant areas in storage media, without the need for a working file system. It can also be used to increase the efficiency of hash-based carving by dynamically changing the sampling frequency. Our findings also contributes to the digital forensics processes in general, which can now be focused on the interesting regions on storage devices, increasing the probability of getting relevant results faster. © 2019 Martin Karresand, Stefan Axelsson, Geir Olav Dyrkolbotn
Place, publisher, year, edition, pages
Oxon: Elsevier, 2019. Vol. 29, no Supplement, p. S51-S60
Keywords [en]
Digital forensics, File carving, Partition content map, Allocation algorithm, NTFS
National Category
Other Computer and Information Science
Identifiers
URN: urn:nbn:se:hh:diva-41110DOI: 10.1016/j.diin.2019.04.018ISI: 000475407000007Scopus ID: 2-s2.0-85069550388OAI: oai:DiVA.org:hh-41110DiVA, id: diva2:1375217
Conference
19th DFRWS conference, Portland, OR, USA, July 14-17, 2019
Note
Funding sponsor: Research Council of Norway programme IKTPLUSS, under the research and development project Ars Forensica Funding number: 248094/O70
2019-12-042019-12-042019-12-04Bibliographically approved