Skip to Main content Skip to Navigation
Conference papers

Creating a Map of User Data in NTFS to Improve File Carving

Abstract : Digital forensics and, especially, file carving are burdened by the large amounts of data that need to be processed. Attempts to solve this problem include efficient carving algorithms, parallel processing in the cloud and data reduction by filtering uninteresting files. This research addresses the problem by searching for data where it is more likely to be found. This is accomplished by creating a probability map for finding unique data at various logical block addressing positions in storage media. SHA-1 hashes of 512 B sectors are used to represent the data. The results, which are based on a collection of 30 NTFS partitions from computers running Microsoft Windows 7 and later versions, reveal that the mean probability of finding unique hash values at different logical block addressing positions vary between 12% to 41% in an NTFS partition. The probability map can be used by a forensic analyst to prioritize relevant areas in storage media without the need for a working filesystem. It can also be used to increase the efficiency of hash-based carving by dynamically changing the random sampling frequency. The approach contributes to digital forensic processes by enabling them to focus on interesting regions in storage media, increasing the probability of obtaining relevant results faster.
Document type :
Conference papers
Complete list of metadata

Cited literature [66 references]  Display  Hide  Download
Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Tuesday, April 7, 2020 - 10:37:39 AM
Last modification on : Tuesday, February 23, 2021 - 7:22:03 PM


Files produced by the author(s)


Distributed under a Creative Commons Attribution 4.0 International License



Martin Karresand, Asalena Warnqvist, David Lindahl, Stefan Axelsson, Geir Olav Dyrkolbotn. Creating a Map of User Data in NTFS to Improve File Carving. 15th IFIP International Conference on Digital Forensics (DigitalForensics), Jan 2019, Orlando, FL, United States. pp.133-158, ⟨10.1007/978-3-030-28752-8_8⟩. ⟨hal-02534611⟩



Record views


Files downloads