hh.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
An Empirical Study of the NTFS Cluster Allocation Behavior Over Time
Norges teknisk-naturvitenskapelige universitet, Trondheim, Norway; Totalforsvarets forskningsinstitut, Stockholm, Sweden.
Norges teknisk-naturvitenskapelige universitet, Trondheim, Norway; Norwegian Defence Cyber Academy (NDCA), Norway.
Halmstad University, School of Information Technology, Halmstad Embedded and Intelligent Systems Research (EIS). Högskolan i Halmstad.
2020 (English)In: Forensic Science International: Digital Investigation, ISSN 2666-2817, Vol. 33Article in journal (Refereed) Published
Abstract [en]

© 2020 The Author(s)The amount of data to be handled in digital forensic investigations is continuously increasing, while the tools and processes used are not developed accordingly. This especially affects the digital forensic sub-field of file carving. The use of the structuring of stored data induced by the allocation algorithm to increase the efficiency of the forensic process has been independently suggested by Casey and us. Building on that idea we have set up an experiment to study the allocation algorithm of NTFS and its behavior over time from different points of view. This includes if the allocation algorithm behaves the same regardless of Windows version or size of the hard drive, its adherence to the best fit allocation strategy and the distribution of the allocation activity over the available (logical) storage space. Our results show that space is not a factor, but there are differences in the allocation behavior between Windows 7 and Windows 10. The results also show that the allocation strategy favors filling in holes in the already written area instead of claiming the unused space at the end of a partition and that the area with the highest allocation activity is slowly progressing from approximately 10 GiB into a partition towards the end as the disk is filling up.

Place, publisher, year, edition, pages
Elsevier Ltd , 2020. Vol. 33
Keywords [en]
Allocation algorithm, Cluster allocation pattern, Digital forensics, File carving, NTFS
National Category
Computer Systems
Identifiers
URN: urn:nbn:se:hh:diva-44660DOI: 10.1016/j.fsidi.2020.301008ISI: 000582272700007Scopus ID: 2-s2.0-85106664524OAI: oai:DiVA.org:hh-44660DiVA, id: diva2:1564107
Available from: 2021-06-11 Created: 2021-06-11 Last updated: 2021-10-20Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopusFulltext

Authority records

Axelsson, Stefan

Search in DiVA

By author/editor
Axelsson, Stefan
By organisation
Halmstad Embedded and Intelligent Systems Research (EIS)
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 76 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf