Detailed Information

Cited 0 time in webofscience Cited 0 time in scopus
Metadata Downloads

Forensic Recovery of File System Metadata for Digital Forensic Investigationopen access

Authors
Oh, JunghoonLee, SangjinHwang, Hyunuk
Issue Date
2022
Publisher
IEEE-INST ELECTRICAL ELECTRONICS ENGINEERS INC
Keywords
File system; forensics; metadata; forensic recovery
Citation
IEEE ACCESS, v.10, pp.111591 - 111606
Indexed
SCIE
SCOPUS
Journal Title
IEEE ACCESS
Volume
10
Start Page
111591
End Page
111606
URI
https://scholar.korea.ac.kr/handle/2021.sw.korea/147073
DOI
10.1109/ACCESS.2022.3213030
ISSN
2169-3536
Abstract
File system forensics is one of the most important elements in digital forensic investigations. To date, various file system forensic methods, such as analysis of tree structure and the recovery of deleted file data, have been studied. Among these file system forensic methods, the recovery of file system metadata is a key technique that makes digital forensic investigations possible by recovering metadata when it is not possible to obtain metadata in a regular manner because the file system structure is damaged due to an accident/disaster or cyber terrorism. Previous studies mainly focused on recovering record or entry data, which are the basic units of metadata, using carving techniques via a fixed values or values capable of range prediction at the beginning of the data. However, no studies have been conducted on metadata without such fixed values or values capable of range prediction. $LogFile, which is a metadata file of the New Technology File System (NITS) that is one of the most used file systems at present, contains very important metadata that provide a history of all file system operations during a specific period. However, since there is no fixed value or a value capable of range prediction at the start position of the record, which is the basic unit of $LogFile, there have been no studies on recovery using record units, and only recovery by file and page have been possible. If the file header or page header of $LogFile is damaged, existing recovery methods cannot properly recover the metadata; in such cases, a record-level recovery method is required to recover the metadata. In this context, we investigated the mechanisms of record storage through a detailed analysis of the $LogFile structure and proposed a recovery method for records without fixed values. Our proposed method was implemented as a tool and verified through comparative experiments with existing forensic tools that recover $LogFile data. The experimental results showed that the proposed recovery method was able recover all the data that existing tools are unable to recover in situations where the $LogFile data were damaged. The implemented tools are released free of charge to contribute digital forensic community. Finally, we explained what important role $LogFile played in solving real-world cases and confirm the importance of recovering $LogFile data in situations where file systems may be damaged due to accidents and disasters.
Files in This Item
There are no files associated with this item.
Appears in
Collections
School of Cyber Security > Department of Information Security > 1. Journal Articles

qrcode

Items in ScholarWorks are protected by copyright, with all rights reserved, unless otherwise indicated.

Related Researcher

Researcher LEE, SANG JIN photo

LEE, SANG JIN
정보보호학과
Read more

Altmetrics

Total Views & Downloads

BROWSE