hh.sePublications
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
Generic Metadata Time Carving
Norwegian University of Science and Technology, Trondheim, Norway; Norwegian Police University College, Oslo, Norway.
Norwegian University of Science and Technology, Trondheim, Norway.
Norwegian Police University College, Oslo, Norway.
Halmstad University, School of Information Technology, Halmstad Embedded and Intelligent Systems Research (EIS). Norwegian University of Science and Technology, Trondheim, Norway.
Show others and affiliations
2020 (English)In: Forensic Science International: Digital Investigation, ISSN 2666-2817, Vol. 33, no S, article id 301005Article in journal (Refereed) Published
Abstract [en]

Recovery of files can be a challenging task in file system investigations, and most carving techniques are based on file signatures or semantics within the file. However, these carving techniques often only recover the files, but not the metadata associated with the file. In this paper, we propose a novel, generic approach for carving metadata by searching for equal and co-located timestamps. The rationale is that there are some common metadata for files and directories within each file system. Our generic time carver provides potential timestamp locations for repeated timestamps in each metadata structure, identifying potential metadata for files. A semantic parser then filters the results with respect to the specific file system type. In our experiments, extraction of MFT entries in NTFS and inodes in Ext4 had near perfect precision for metadata entries with multiple equivalent timestamps, and for such metadata structures we obtained perfect recall for NTFS. For known file systems, we use the information found within identified metadata to recover files, and by recovering files and their associated metadata we increase the evidential value of recovered files. © 2020 The Author(s)

Place, publisher, year, edition, pages
Oxford: Elsevier, 2020. Vol. 33, no S, article id 301005
Keywords [en]
Carving, Digital forensics, File system, Metadata
National Category
Computer Systems
Identifiers
URN: urn:nbn:se:hh:diva-46076DOI: 10.1016/j.fsidi.2020.301005ISI: 000582272700004Scopus ID: 2-s2.0-85106585484OAI: oai:DiVA.org:hh-46076DiVA, id: diva2:1620165
Conference
20th Annual DFRWS USA Conference, Virtual, 20-24 July, 2020.
Available from: 2021-12-15 Created: 2021-12-15 Last updated: 2022-07-06Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Publisher's full textScopus

Authority records

Axelsson, Stefan

Search in DiVA

By author/editor
Axelsson, Stefan
By organisation
Halmstad Embedded and Intelligent Systems Research (EIS)
Computer Systems

Search outside of DiVA

GoogleGoogle Scholar

doi
urn-nbn

Altmetric score

doi
urn-nbn
Total: 21 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • modern-language-association-8th-edition
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf