Journal of Korea Society of Digital Industry and Information Management (디지털산업정보학회논문지)

Korea Society of Digital Industry and Information Management (디지털산업정보학회)
권호 표지
DOI QR코드

DOI QR Code

A Digital Forensic Analysis for Directory in Windows File System

Windows 파일시스템의 디렉토리에 대한 디지털 포렌식 분석

  • 조규상 (동양대학교 컴퓨터정보전학과)
  • Received : 2015.06.02
  • Accepted : 2015.06.15
  • Published : 2015.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

When we apply file commands on files in a directory, the directory as well as the file suffer changes in timestamps of MFT entry. Based on understanding of these changes, this work provides a digital forensic analysis on the timestamp changes of the directory influenced by execution of file commands. NTFS utilizes B-tree indexing structure for managing efficient storage of a huge number of files and fast lookups, which changes an index tree of the directory index when files are operated by commands. From a digital forensic point of view, we try to understand behaviors of the B-tree indexes and are looking for traces of files to collect information. But it is not easy to analyze the directory index entry when the file commands are executed. And researches on a digital forensic about NTFS directory and B-tree indexing are comparatively rare. Focusing on the fact, we present, in this paper, directory timestamp changes after executing file commands including a creation, a copy, a deletion etc are analyzed and a method for finding forensic evidences of a deletion of directory containing files. With some cases, i.e. examples of file copy and file deletion command, analyses on the problem of timestamp changes of the directory are given and the problem of finding evidences of a deletion of directory containging files are shown.

Keywords

References

  1. Wikipedia. org, "NTFS - Features - Scalability," http://en.wikipedia.org/wiki/NTFS#Features
  2. B. Carrier, File System Forensic Analysis, Addison-Wesley, 2005, pp. 273-396.
  3. Wikipedia, "B-tree," http://en.wikipedia.org/wiki/B-tree.
  4. Microsoft TechNet, "How NTFS Works," https://technet.microsoft.com/en-us/library/cc781134(v=ws.10).aspx.
  5. William Ballenthin, "NTFS INDX Attribute Parsing," http://www.williballenthin.com/forensics/indx/index.html.
  6. Chad Tilbury, "NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files," SANS Digital Forensics and Incident Response Blog, http://digital-forensics.sans.org.
  7. William Ballenthin and Jeff Hamm, "Incident Response with NTFS INDX Buffers - Parts 1, 2, 3 and 4," https://www.mandiant.com/blog/author/willi-ballenthin/
  8. Microsoft MSDN, "Naming Files, Paths, and Namespace-Short vs. Long Names," http://msdn.microsoft.com.
  9. Sameer H. Mahant and B. B. Meshram, "NTFS Deleted Files Recovery: Forensics View," IRACST(- International Journal of Computer Science and Information Technology & Security (IJCSITS), Vol. 2, No. 3, 2012, pp. 491-497.
  10. Ewa Huebner, Derek Bem and Cheong Kai Wee, "Data hiding in the NTFS file system," Digital Investigation, Vol. 3, Issue 4, 2006, pp. 211-226. https://doi.org/10.1016/j.diin.2006.10.005
  11. Christopher Lees, "Determining removal of forensic artefacts using the USN change journalOriginal," Digital Investigation, Vol. 10, Issue 4, 2013, pp. 300-310. https://doi.org/10.1016/j.diin.2013.10.002
  12. 김태한, 조규상, "NTFS 파일 시스템의 저널 파일을 이용한 파일 생성에 대한 디지털 포렌식 방법," 디지털산업정보학회 논문지, 6권, 2호, 2010, pp. 107-118.
  13. Gyu-Sang Cho, "A computer forensic method for detecting timestamp forgery in NTFS," Computers & Security, Vol. 34, 2013, pp. 36-46. https://doi.org/10.1016/j.cose.2012.11.003
  14. 조규상, "타임스탬프 변화패턴을 근거로 한 평가 함수에 의한 디지털 포렌식 방법," 디지털산업정보학회 논문지, 10권 2호, 2014, pp. 91-105.
  15. Gyu-Sang Cho, "NTFS Directory Index Analysis for Computer Forensics," IMIS 2015(the 9-th Int. Conf. on Innovative Mobile and Internet Services in Ubiquitous Computing), July 8th-10th, Blumenau Brazil, 2015.
  16. Jonathan Grier, "Detecting data theft using stochastic forensics," Digital Investigation, Vol. 8, 2011, pp. S-71-77. https://doi.org/10.1016/j.diin.2011.05.009

Cited by

  1. 디렉토리 인덱스 안티포렌식 기법에서 Windows 파일명에 사용할 수 없는 문자 문제의 해결방법 vol.11, pp.4, 2015, https://doi.org/10.17662/ksdim.2015.11.4.069
  2. Ordinary B-tree vs NTFS B-tree: A Digital Forensics Perspectives vol.22, pp.8, 2015, https://doi.org/10.9708/jksci.2017.22.08.073