hh.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Creating a Map of User Data in NTFS to Improve File Carving
Norwegian University of Science and Technology, Gjovik, Norway.
National Forensic Centre, Swedish Police Authority, Linköping, Sweden.
Swedish Defence Research Agency, Linköping, Sweden.
Norwegian University of Science and Technology, Gjovik, Norway.
Show others and affiliations
2019 (English)In: Advances in Digital Forensics XV: 15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019,Revised Selected Papers / [ed] Gilbert Peterson & Sujeet Shenoi, Cham: Springer, 2019, p. 133-158Conference paper, Published paper (Refereed)
Abstract [en]

Digital forensics, and espesially, file carving are burdened by the large amounts of data that need to be processed. Attempts to solve this problem include efficient carving algorithms, parallel processing in the cloud and data reduction by filtering uninteresting files. This research addresses the problem by searching for data wher it is more likely to be found. This is accomplished by creating a probability map for finding unique data at various logical block addressing positions in storage media. SHA-1 hashes of 512B sectors are used to represent the data. The results, which are based on a collection of 30 NTFS partitions from computers runnign Microsoft Windows 7 and later versions, reveal that the mean probability of finding unique hash values at different logical block addressing positions vary between 12% and 41% in an NTFS partition. The probability map can be used by forensic analyst to prioritize relevant areas in storage media without the need for a working filesystem. It can also be used to increase the efficienty of hash-based carving by dinamically changing the random sampling frequency. The approach contributes to digital forensic processes by enabling them to focus on interesting regions in storage media, increasing the probability of obtaining relevant results faster. © IFIP International Federation for Information Processing 2019

Place, publisher, year, edition, pages
Cham: Springer, 2019. p. 133-158
Series
IFIP Advances in Information and Communication Technology, ISSN 1868-4238, E-ISSN 1868-422X ; 569
Keywords [en]
File carving, hash-based carving, partition content map, NTFS
National Category
Other Computer and Information Science
Identifiers
URN: urn:nbn:se:hh:diva-41111DOI: 10.1007/978-3-030-28752-8_8Scopus ID: 2-s2.0-85071431317Libris ID: lw50z9l0jx3s0qclISBN: 978-3-030-28752-8 (electronic)ISBN: 978-3-030-28751-1 (print)OAI: oai:DiVA.org:hh-41111DiVA, id: diva2:1375239
Conference
15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019
Available from: 2019-12-04 Created: 2019-12-04 Last updated: 2020-01-10Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Axelsson, Stefan

Search in DiVA

By author/editor
Axelsson, Stefan
Other Computer and Information Science

Search outside of DiVA

GoogleGoogle Scholar

doi
isbn
urn-nbn

Altmetric score

doi
isbn
urn-nbn
Total: 93 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf