Skip to Main content Skip to Navigation
Conference papers

Creating a Map of User Data in NTFS to Improve File Carving

Abstract : Digital forensics and, especially, file carving are burdened by the large amounts of data that need to be processed. Attempts to solve this problem include efficient carving algorithms, parallel processing in the cloud and data reduction by filtering uninteresting files. This research addresses the problem by searching for data where it is more likely to be found. This is accomplished by creating a probability map for finding unique data at various logical block addressing positions in storage media. SHA-1 hashes of 512 B sectors are used to represent the data. The results, which are based on a collection of 30 NTFS partitions from computers running Microsoft Windows 7 and later versions, reveal that the mean probability of finding unique hash values at different logical block addressing positions vary between 12% to 41% in an NTFS partition. The probability map can be used by a forensic analyst to prioritize relevant areas in storage media without the need for a working filesystem. It can also be used to increase the efficiency of hash-based carving by dynamically changing the random sampling frequency. The approach contributes to digital forensic processes by enabling them to focus on interesting regions in storage media, increasing the probability of obtaining relevant results faster.
Document type :
Conference papers
Complete list of metadata

Cited literature [66 references]  Display  Hide  Download

https://hal.inria.fr/hal-02534611
Contributor : Hal Ifip <>
Submitted on : Tuesday, April 7, 2020 - 10:37:39 AM
Last modification on : Tuesday, February 23, 2021 - 7:22:03 PM

File

 Restricted access
To satisfy the distribution rights of the publisher, the document is embargoed until : 2022-01-01

Please log in to resquest access to the document

Licence


Distributed under a Creative Commons Attribution 4.0 International License

Identifiers

Citation

Martin Karresand, Asalena Warnqvist, David Lindahl, Stefan Axelsson, Geir Dyrkolbotn. Creating a Map of User Data in NTFS to Improve File Carving. 15th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2019, Orlando, FL, United States. pp.133-158, ⟨10.1007/978-3-030-28752-8_8⟩. ⟨hal-02534611⟩

Share

Metrics

Record views

35