Creating a Map of User Data in NTFS to Improve File CarvingShow others and affiliations
2019 (English)In: Advances in Digital Forensics XV: 15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019,Revised Selected Papers / [ed] Gilbert Peterson & Sujeet Shenoi, Cham: Springer, 2019, p. 133-158Conference paper, Published paper (Refereed)
Abstract [en]
Digital forensics, and espesially, file carving are burdened by the large amounts of data that need to be processed. Attempts to solve this problem include efficient carving algorithms, parallel processing in the cloud and data reduction by filtering uninteresting files. This research addresses the problem by searching for data wher it is more likely to be found. This is accomplished by creating a probability map for finding unique data at various logical block addressing positions in storage media. SHA-1 hashes of 512B sectors are used to represent the data. The results, which are based on a collection of 30 NTFS partitions from computers runnign Microsoft Windows 7 and later versions, reveal that the mean probability of finding unique hash values at different logical block addressing positions vary between 12% and 41% in an NTFS partition. The probability map can be used by forensic analyst to prioritize relevant areas in storage media without the need for a working filesystem. It can also be used to increase the efficienty of hash-based carving by dinamically changing the random sampling frequency. The approach contributes to digital forensic processes by enabling them to focus on interesting regions in storage media, increasing the probability of obtaining relevant results faster. © IFIP International Federation for Information Processing 2019
Place, publisher, year, edition, pages
Cham: Springer, 2019. p. 133-158
Series
IFIP Advances in Information and Communication Technology, ISSN 1868-4238, E-ISSN 1868-422X ; 569
Keywords [en]
File carving, hash-based carving, partition content map, NTFS
National Category
Other Computer and Information Science
Identifiers
URN: urn:nbn:se:hh:diva-41111DOI: 10.1007/978-3-030-28752-8_8Scopus ID: 2-s2.0-85071431317Libris ID: lw50z9l0jx3s0qclISBN: 978-3-030-28752-8 (electronic)ISBN: 978-3-030-28751-1 (print)OAI: oai:DiVA.org:hh-41111DiVA, id: diva2:1375239
Conference
15th IFIP WG 11.9 International Conference, Orlando, FL, USA, January 28–29, 2019
2019-12-042019-12-042020-01-10Bibliographically approved