hh.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Using NTFS Cluster Allocation Behavior to Find the Location of User Data
Norwegian University of Science and Technology (NTNU), Gjorvik, Norway & Intelligence, Surveillance and Reconnaissance (C4ISR), Swedish Defence Research Agency (FOI), Sweden.
Halmstad University, School of Information Technology, Halmstad Embedded and Intelligent Systems Research (EIS). Norwegian University of Science and Technology (NTNU), Gjorvik, Norway.
Norwegian University of Science and Technology (NTNU), Gjorvik, Norway.
2019 (English)In: Digital Investigation. The International Journal of Digital Forensics and Incident Response, ISSN 1742-2876, E-ISSN 1873-202X, Vol. 29, no Supplement, p. S51-S60Article in journal (Refereed) Published
Abstract [en]

Digital forensics is heavily affected by the large and increasing amount of data to be processed. To solve the problem there is ongoing research to find more efficient carving algorithms, use parallel processing in the cloud, and reduce the amount of data by filtering uninteresting files. Our approach builds on the principle of searching where it is more probable to find what you are looking for. We therefore have empirically studied the behavior of the cluster allocation algorithm(s) in the New Technology File System (NTFS) to see where new data is actually placed on disk. The experiment consisted of randomly writing, increasing, reducing and deleting files in 32 newly installed Windows 7, 8, 8.1 and 10 virtual computers using VirtualBox. The result show that data are (as expected) more frequently allocated closer to the middle of the disk. Hence that area should be getting higher attention during a digital forensic investigation of a NTFS formatted hard disk. Knowledge of the probable position of user data can be used by a forensic investigator to prioritize relevant areas in storage media, without the need for a working file system. It can also be used to increase the efficiency of hash-based carving by dynamically changing the sampling frequency. Our findings also contributes to the digital forensics processes in general, which can now be focused on the interesting regions on storage devices, increasing the probability of getting relevant results faster. © 2019 Martin Karresand, Stefan Axelsson, Geir Olav Dyrkolbotn

Place, publisher, year, edition, pages
Oxon: Elsevier, 2019. Vol. 29, no Supplement, p. S51-S60
Keywords [en]
Digital forensics, File carving, Partition content map, Allocation algorithm, NTFS
National Category
Other Computer and Information Science
Identifiers
URN: urn:nbn:se:hh:diva-41110DOI: 10.1016/j.diin.2019.04.018ISI: 000475407000007Scopus ID: 2-s2.0-85069550388OAI: oai:DiVA.org:hh-41110DiVA, id: diva2:1375217
Conference
19th DFRWS conference, Portland, OR, USA, July 14-17, 2019
Note

Funding sponsor: Research Council of Norway programme IKTPLUSS, under the research and development project Ars Forensica Funding number: 248094/O70

Available from: 2019-12-04 Created: 2019-12-04 Last updated: 2019-12-04Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records BETA

Axelsson, Stefan

Search in DiVA

By author/editor
Axelsson, Stefan
By organisation
Halmstad Embedded and Intelligent Systems Research (EIS)
In the same journal
Digital Investigation. The International Journal of Digital Forensics and Incident Response
Other Computer and Information Science

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 9 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf