Forensic exploration on windows File History
DC Field | Value | Language |
---|---|---|
dc.contributor.author | Choi, J. | - |
dc.contributor.author | Park, J. | - |
dc.contributor.author | Lee, S. | - |
dc.date.accessioned | 2021-12-05T05:42:00Z | - |
dc.date.available | 2021-12-05T05:42:00Z | - |
dc.date.created | 2021-08-31 | - |
dc.date.issued | 2021 | - |
dc.identifier.issn | 2666-2825 | - |
dc.identifier.uri | https://scholar.korea.ac.kr/handle/2021.sw.korea/129538 | - |
dc.description.abstract | Nowadays, a proliferation of flash-memory-based storage devices makes it more difficult to recover deleted files in unallocated areas. Thus, it becomes more important for forensic examiners to find and utilize backed up data generated by specially prepared backup features. As an interesting example of them, File History (FH) included since Windows 8 is a backup feature that can be set and operated by a user. To enable FH, it is required to select a storage device for file backup operations which can be almost any type of storage devices, including a local drive, USB flash drive, network drive, etc. This special backup feature of course allows users to restore backed up files and delete old backup versions whenever they want. Therefore, it is necessary to be able to analyze forensic artifacts that show user behaviors relating to FH, during examination of Windows systems. In this paper, we deeply explore Windows FH feature from a digital forensics perspective. As a result, this paper proposes a three-step examination procedure along with detailed considerations for each step. We also analyze impacts of several anti-forensic actions that users can perform intentionally or unintentionally. Finally, this work develops an open-source tool for identifying FH related artifacts and analyzing user behaviors on backup operations. © 2021 Elsevier Ltd | - |
dc.language | English | - |
dc.language.iso | en | - |
dc.publisher | Elsevier Ltd | - |
dc.title | Forensic exploration on windows File History | - |
dc.type | Article | - |
dc.contributor.affiliatedAuthor | Lee, S. | - |
dc.identifier.doi | 10.1016/j.fsidi.2021.301134 | - |
dc.identifier.scopusid | 2-s2.0-85101346882 | - |
dc.identifier.bibliographicCitation | Forensic Science International: Digital Investigation, v.36 | - |
dc.relation.isPartOf | Forensic Science International: Digital Investigation | - |
dc.citation.title | Forensic Science International: Digital Investigation | - |
dc.citation.volume | 36 | - |
dc.type.rims | ART | - |
dc.type.docType | Article | - |
dc.description.journalClass | 1 | - |
dc.description.journalRegisteredClass | scopus | - |
dc.subject.keywordAuthor | Anti-forensic implication | - |
dc.subject.keywordAuthor | File backup | - |
dc.subject.keywordAuthor | File history | - |
dc.subject.keywordAuthor | Forensic artifact | - |
dc.subject.keywordAuthor | Forensic procedure | - |
dc.subject.keywordAuthor | Log analysis | - |
dc.subject.keywordAuthor | Multi-source data analysis | - |
dc.subject.keywordAuthor | Open-source tool | - |
dc.subject.keywordAuthor | User behavior analysis | - |
dc.subject.keywordAuthor | Windows forensics | - |
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.
(02841) 서울특별시 성북구 안암로 14502-3290-1114
COPYRIGHT © 2021 Korea University. All Rights Reserved.
Certain data included herein are derived from the © Web of Science of Clarivate Analytics. All rights reserved.
You may not copy or re-distribute this material in whole or in part without the prior written consent of Clarivate Analytics.