Fig 5 - available via license: Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International
Content may be subject to copyright.
Source publication
Timestamps play a substantial role during digital forensic investigations and address two main objectives. First, they serve as a primary culling criterion to reduce the amount of digital evidence subject to analysis. Second, timestamps are the sole feature that allows reliable reconstruction of time-lines and they assist in locating temporal anoma...
Contexts in source publication
Context 1
... a defragmentation process is the Move operation (FSCTL_MOVE_FILE). When a file in NTFS file system is deleted, its file record in the $MFT table is marked deleted and the corresponding clusters are marked available in the system $Bitmap. The deletion event is recorded in the transaction journals but none of the dates change in the $MFT drive (see Fig. 5). Therefore, at this point, no dating is required and the file can be fully restored. There is no guarantee on how long the deleted file can stay intact. Two types of overwriting can happen: first, the file record in the $MFT is allocated to a different file in which the pointer to the deleted file is lost; second, the available ...
Context 2
... $FILE_NAME dates are rarely updated which makes them less useful than the dates on $STANDARD_INFORMATION dates but we can use this to our advantage. Fig. 5 shows three snapshots: the first is taken before the file is deleted; the second is after the file is deleted and, therefore, moved to Recycled bin; and the third is after the Recycled bin is emptied. The only date that indicates the deletion is the E date as shown in the figure only if the file is moved to the recycled bin and does ...
Citations
... Nordvik et al. (2019) focused on NTFS, specifically the Object ID Index, including multiple experiments with file creation, copying, moving etc. and shows how this artefact can be used to link external devices to computers to which it has been attached, detect manipulations, and show which boot session a file belongs to. Finally, a more general technique by Bahjat and Jones (2019), discusses a new method for assigning dates and times to file fragments based on the other data that they are surrounded by, further developing the digital stratigraphy technique. ...
... One of the main reasons is file carving which is the process of recovering files from unallocated space on the hard disk. However, file carving may only recover fragments of files rather than the file itself [1]. Furthermore, suspects might try to hide files or file fragments in slack space. ...
Metadata is a blanket term that encompasses the information describing a file’s myriad properties. A file’s metadata might capture its extension, headers, footers, signatures, length, and file type, among other details. This information, along with other markers, can be exploited by a forensic examiner to identify and categorize files, often with relative ease. However, the challenge that arises in digital forensics is that examiners could potentially be tasked with identifying file types using only a few remnant fragments on a storage device. These remnants left behind on a device could be a product of routine operating system activities or a misguided attempt to destroy evidence by a suspect. In addition, files are routinely transmitted over a network as fragments, sometimes with errors, and network forensic examiners might be called upon for file fragment identification in this scenario. It is also commonplace to find perpetrators maliciously and deliberately falsifying metadata, including headers and footers, in an effort to mislead and misdirect forensic examiners. To this end, in this research, we propose statistical techniques for file type identification and classification using file fragments. We demonstrate that byte frequency analysis and related techniques are quite potent in their ability to tackle these aforementioned challenges. In our work, we analyze fragments garnered from fourteen different files. We choose these file types in our analysis as they are commonly used for various purposes and with different structures. We evaluate the performance of our proposed framework using evaluation metrics such as accuracy, precision, recall, and F1-score. Our results show that our proposed framework can accurately identify and classify file types from file fragments. Our work is novel in that we have pushed the boundaries of what was considered feasible using fundamental statistical tools, as suggested by the body of work in the literature. Our objective is to develop the foundations of a framework for file-fragment analysis under the fabric of statistical analysis. We show that the auspice of our research is applicable in domains as disparate as file integrity analysis, malware detection, steganography, intrusion detection systems, security policy implementation, and of course, a big thrust in digital and cyber forensic analysis.KeywordsFile fragmentsStatistical analysisFile MetadataDigital ForensicsByte Frequency Analysis
... Data Building publications retrieved. Investigates the use of data extracted from the iPhone Health application, which stores data about physical exercises performed by the user EXTR[Servida and Casey 2019] IoT, digital traces -Data from mobile apps (e.g., Nest and Wink hubs) and from IoT devices (e.g., cloud data from QBee Camera and the Swisscom Home App); Plugins were developed for data extraction EVD[Hosler et al. 2019] Database for Video Forensics -Data of digital forensic videos composed by 2,000 videos from 46 physical devices representing 36 unique camera models EXTR[Pessolano et al. 2019] Forensic analysis nintendo 3DS-Data from nintendo 3DS to analyze methods of hacking and extracting data from that device's internal storage system RECV[Bahjat and Jones 2019] Deleted file fragment -Framework for determining a time-window for file fragments considering the first moment that it was written to a media until it was deleted EXTR[Williams et al. 2021] Android/iOS recover -Recover data from wearable smart fitness that run Android 9 and iOS 12EVD [Kumar and Karabiyik 2021] Instagram vanish mode -Investigate the presence of vanished messages in the application database EVD [Afshar et al. 2021] Behavior detection -Propose an Attribute/Behavior-Based Access Control for understanding and deriving users' behaviors from log files RECV ...
Digital forensics has attracted attention from assorted researchers, who primarily work on predicting and solving digital hacks and crimes. In turn, the number and types of digital crimes have increased considerably, mainly due to the growing use of digital media to perform daily personal and professional tasks. Like most computer-related activities, data is at the center of such hacks and crimes. Hence, this work presents a systematic literature review of publications at the intersection between Digital Forensics and Databases. We discuss problems and trends of two main categories: Data Building and Database Management Systems. Overall, this research opens the doors for the communication between databases and an area with several exciting and concrete challenges, with great potential for social, economic, and technical-scientific contributions.
... Indeed, many studies in these areas rely on assumptions with respect to fragmentation. In the domain of digital forensics, this includes studies into file fragment classification (e.g., Rahmat et al. [13]), generic file carvers (e.g., Ying and Thing [16], Garfinkel [5]) as well as file type specific file carvers (e.g., Durmus et al. [4], Yang et al. [15]), and fragment dating (e.g., Bahjat and Jones [2]). ...
There is a significant amount of research in digital forensics into analyzing file fragments or reconstructing fragmented data. At the same time, there are no recent measurements of fragmentation on current, in-use computer systems. To close this gap, we have analyzed file fragmentation from a corpus of 220 privately owned Windows laptops.
We provide a detailed report of our findings. This includes contemporary fragmentation rates for a wide variety of image-, video-, office-, database-, and archive-related extensions. Our data substantiates the earlier finding that fragments for a significant portion of fragmented files are stored out-of-order. We define metrics to measure the degree of “out-of-orderedness” and find that the average degree of out-of-orderedness is non-negligible. Finally, we find that there is a significant group of fragmented files for which reconstruction is insufficiently addressed by current tooling.
... Some deleted and fragmented files provide useful evidence in the consideration of criminal activity. Although some attributes can be modified, the dates in the $FILE_NAME attribute can only be modified by the system kernel and are, therefore, immune from any known antiforensics tools [109]. ...
... A single file might leave several remnants which can be found in several ways. Slack spaces occur in various forms of which there are two main types: 1) volume slack is the unallocated space left after creating a hard drive partition; and, 2) file slack is occurs in files that do not fully align with a multiple of a cluster size [109]. ...
... The file record can be overwritten in two ways: 1) the record in the $MFT is allocated to a different file, but the file can be recovered by creating a new pointer to the file which will also create new system dates; and 2) the available clusters are later allocated for a different file which results in overwriting of the file content. Many files also have a date contained within the file which can be used for fragment dating [109]. ...
This review paper covers the forensic-relevant literature in digital evidence from 2016 to 2019 as a part of the 19th Interpol International Forensic Science Managers Symposium. The review papers are also available at the Interpol website at: https://www.interpol.int/content/download/14458/file/Interpol Review Papers 2019.pdf
This extended abstract aims at snapshotting the progress on reviewing the NTFS time information from a tampering perspective and detection efforts. We describe how we elected a small set of research papers for a review study and how we identified research patterns and gaps that remains to be fulfilled.
The information technology industry continues to develop and innovate new technologies that are made available to the business and consumer markets. These innovations lead to an increasing range of devices, systems and locations from which probative data can be obtained. Each new technology, each new offering from a vendor and each new device represents a unique challenge to the examiner.
