Forensic Recovery of File System Metadata for Digital Forensic Investigation

Abstract

File system forensics is one of the most important elements in digital forensic investigations. To date, various file system forensic methods, such as analysis of tree structure and the recovery of deleted file data, have been studied. Among these file system forensic methods, the recovery of file system metadata is a key technique that makes digital forensic investigations possible by recovering metadata when it is not possible to obtain metadata in a regular manner because the file system structure is damaged due to an accident/disaster or cyber terrorism. Previous studies mainly focused on recovering record or entry data, which are the basic units of metadata, using carving techniques via a fixed values or values capable of range prediction at the beginning of the data. However, no studies have been conducted on metadata without such fixed values or values capable of range prediction. $LogFile, which is a metadata file of the New Technology File System (NITS) that is one of the most used file systems at present, contains very important metadata that provide a history of all file system operations during a specific period. However, since there is no fixed value or a value capable of range prediction at the start position of the record, which is the basic unit of $LogFile, there have been no studies on recovery using record units, and only recovery by file and page have been possible. If the file header or page header of $LogFile is damaged, existing recovery methods cannot properly recover the metadata; in such cases, a record-level recovery method is required to recover the metadata. In this context, we investigated the mechanisms of record storage through a detailed analysis of the $LogFile structure and proposed a recovery method for records without fixed values. Our proposed method was implemented as a tool and verified through comparative experiments with existing forensic tools that recover $LogFile data. The experimental results showed that the proposed recovery method was able recover all the data that existing tools are unable to recover in situations where the $LogFile data were damaged. The implemented tools are released free of charge to contribute digital forensic community. Finally, we explained what important role $LogFile played in solving real-world cases and confirm the importance of recovering $LogFile data in situations where file systems may be damaged due to accidents and disasters.