NTFS Data Tracker: Tracking file data history based on $LogFile
DC Field | Value | Language |
---|---|---|
dc.contributor.author | Oh, Junghoon | - |
dc.contributor.author | Lee, Sangjin | - |
dc.contributor.author | Hwang, Hyunuk | - |
dc.date.accessioned | 2022-02-13T05:40:20Z | - |
dc.date.available | 2022-02-13T05:40:20Z | - |
dc.date.created | 2022-02-09 | - |
dc.date.issued | 2021-12 | - |
dc.identifier.issn | 2666-2817 | - |
dc.identifier.uri | https://scholar.korea.ac.kr/handle/2021.sw.korea/135585 | - |
dc.description.abstract | The $LogFile is a file system metafile that stores NTFS (New Technology File System) transaction data. It is used to restore the file system to its normal state in the event of a file system error, such as one caused by sudden power outages. The transaction data recorded in $LogFile contain changes in the metadata of files and directories in the $MFT. By analyzing it, all file operations performed in the file system during a specific period can be identified. Existing research on the $LogFile has focused on finding file-level events including create, delete, move and rename. Research has also been conducted on file data in $LogFile to acquire data location information (data runs) that is initially stored at the time of file creation, or to reconstruct only the final location information of the data. No research, however, has been conducted to date on tracking the entire history of changes in the file data. In this paper, we develop a technique that reproduces changes in the metadata within the $MFT on a file-by-file basis by using transaction data recorded in the $LogFile to overcome the limitations of existing research in the area. We use this technique to track all data on the history of a given file according to changes in it over time from its creation to deletion. An NTFS Data Tracker is also developed based on the results and various example use cases are discussed. (c) 2021 Elsevier Ltd. All rights reserved. | - |
dc.language | English | - |
dc.language.iso | en | - |
dc.publisher | ELSEVIER SCI LTD | - |
dc.title | NTFS Data Tracker: Tracking file data history based on $LogFile | - |
dc.type | Article | - |
dc.contributor.affiliatedAuthor | Lee, Sangjin | - |
dc.identifier.doi | 10.1016/j.fsidi.2021.301309 | - |
dc.identifier.scopusid | 2-s2.0-85122677159 | - |
dc.identifier.wosid | 000714740900002 | - |
dc.identifier.bibliographicCitation | FORENSIC SCIENCE INTERNATIONAL-DIGITAL INVESTIGATION, v.39 | - |
dc.relation.isPartOf | FORENSIC SCIENCE INTERNATIONAL-DIGITAL INVESTIGATION | - |
dc.citation.title | FORENSIC SCIENCE INTERNATIONAL-DIGITAL INVESTIGATION | - |
dc.citation.volume | 39 | - |
dc.type.rims | ART | - |
dc.type.docType | Article | - |
dc.description.journalClass | 1 | - |
dc.description.journalRegisteredClass | scie | - |
dc.description.journalRegisteredClass | scopus | - |
dc.relation.journalResearchArea | Computer Science | - |
dc.relation.journalWebOfScienceCategory | Computer Science, Information Systems | - |
dc.relation.journalWebOfScienceCategory | Computer Science, Interdisciplinary Applications | - |
dc.subject.keywordAuthor | $LogFile | - |
dc.subject.keywordAuthor | Data history | - |
dc.subject.keywordAuthor | NTFS | - |
Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.
145 Anam-ro, Seongbuk-gu, Seoul, 02841, Korea+82-2-3290-2963
COPYRIGHT © 2021 Korea University. All Rights Reserved.
Certain data included herein are derived from the © Web of Science of Clarivate Analytics. All rights reserved.
You may not copy or re-distribute this material in whole or in part without the prior written consent of Clarivate Analytics.