A novel file system that facilitates improved Digital Forensics and generalized solution to fragmented file recovery

2011 ◽  
Author(s):  
K. Srinivas ◽  
T. Bhaskar
Keyword(s):  
Digital Forensics ◽  
File System ◽  
Generalized Solution ◽  
File Recovery

scholarly journals Analisis Perbandingan Toolkit Puran File Recovery, Glary Undelete Dan Recuva Data Recovery Untuk Digital Forensik

2017 ◽  
Vol 1 (1) ◽  
pp. 84 ◽  
Author(s):  
Handrizal Handrizal
Keyword(s):  
Comparative Analysis ◽  
Digital Forensics ◽  
Data Recovery ◽  
File Recovery

This paper presents a comparative analysis of three digital forensics toolkit for data recovery scenario that has been deleted. Toolkit used is Puran File Recovery, Glary Undelete and Recuva Data Recovery. Their ability to restore deleted data has been tested and analyzed in a USB flash drive. The results of the comparison show that this third toolkit can work well in terms of finding the data that has been deleted or in recovering the deleted data.

A New Timestamp Digital Forensic Method Using a Modified Superincreasing Sequence

2016 ◽  
Vol 8 (3) ◽  
pp. 11-33
Author(s):  
Gyu-Sang Cho
Keyword(s):  
Digital Forensics ◽  
File System ◽  
The Other ◽  
Forensic Evaluation ◽  
Evaluation Function ◽  
Digital Forensic ◽  
Before And After

This paper proposes a new digital forensic method using a modified superincreasing sequence. Timestamp changes by file commands in Windows NTFS file system are used for identifying what commands were executed and are a useful and a logical way for performing digital forensics. A superincreasing sequence is modified for the timestamp change patterns to make each timestamp pattern have a distinct value. The method has two functions; one is a timestamp change check function and the other is a forensic evaluation function. The former checks differences of timestamps between before and after command execution, and the latter produces a characteristic output by applying ten kinds of timestamp change patterns. According to the characteristic output, the kind of command that is executed is identified. By virtue of adopting the modified superincreasing sequence, the evaluation function could produce distinct characteristic output values and thereby provides a way to reconstruct executed file commands.

On the role of file system metadata in digital forensics

2004 ◽  
Vol 1 (4) ◽  
pp. 298-309 ◽  
Author(s):  
Florian Buchholz ◽  
Eugene Spafford
Keyword(s):  
Digital Forensics ◽  
File System ◽  
File System Metadata

scholarly journals Navigating Unmountable Media with the Digital Forensics XML File System

1970 ◽  
Vol 12 (2) ◽  
pp. 309-326
Author(s):  
Alexander Nelson ◽  
Alexandra Chassanoff ◽  
Alexendra Holloway
Keyword(s):  
Digital Forensics ◽  
File System ◽  
Storage Systems ◽  
Storage System ◽  
General Purpose ◽  
Computer Storage ◽  
Available Resources ◽  
File System Metadata

Some computer storage is non-navigable by current general-purpose computers. This could be because of obsolete interface software, or a more specialized storage system lacking widespread support. These storage systems may contain artifacts of great cultural, historical, or technical significance, but implementing compatible interfaces that are fully navigable may be beyond available resources. We developed the DFXML File System (DFXMLFS) to enable navigation of arbitrary storage systems that fulfill a minimum feature set of the POSIX file system standard. Our approach advocates for a two-step workflow that separates parsing the storage’s file system structures from navigating the storage like a contemporary file system, including file contents. The parse extracts essential file system metadata, serializing to Digital Forensics XML for later consumption as a read-only file system.

scholarly journals An Empirical study to determine the role of file-system in modification of hash value

2020 ◽  
pp. 24-41
Author(s):  
Kumarshankar Raychaudhuri ◽  
◽  
M. George Christopher ◽  
Keyword(s):  
Empirical Study ◽  
Computer System ◽  
Digital Forensics ◽  
File System ◽  
Storage Device ◽  
Essential Aspect ◽  
Data Files ◽  
Examination Process ◽  
Lack Of Knowledge

In digital forensics, maintaining the integrity of digital exhibits is an essential aspect of the entire investigation and examination process, which is established using the technique of hashing. Lack of knowledge, while handling digital exhibits, might lead to unintentional alteration of computed hash, rendering the exhibit unacceptable in the court of Law. The hash value of a physical drive does not solely depend upon the data files present in it but also its file-system. Therefore, any change to the file-system might result in the change of the disk hash, even when the data files within it remain untouched. In this paper, our objective is to study the role of file-system in modification of the hash value. We examine and analyse the changes in the file-system of a NTFS formatted USB storage device, which leads to modification in its hash value when the device is plugged-in to the computer system without using write-blocker. The outcome of this research would justify the importance of write blockers while handling digital exhibits and also substantiate that the alteration in hash value of a storage device might not be an indication that data within the device has been tampered with.

ExtSFR: scalable file recovery framework based on an Ext file system

2019 ◽  
Vol 79 (23-24) ◽  
pp. 16093-16111 ◽  
Author(s):  
Seokjun Lee ◽  
Wooyeon Jo ◽  
Soowoong Eo ◽  
Taeshik Shon
Keyword(s):  
File System ◽  
File Recovery

scholarly journals Cloud Forensics : Isolating Cloud Instance

2017 ◽  
Vol 3 (2) ◽  
pp. 10
Author(s):  
Mariam J. AlKandari ◽  
Huda F. Al Rasheedi ◽  
Ayed A. Salman
Keyword(s):  
Cloud Computing ◽  
Digital Forensics ◽  
File System ◽  
File Systems ◽  
Distributed File System ◽  
Cloud Environment ◽  
Apache Hadoop ◽  
Cloud Forensics ◽  
Hadoop Distributed File System ◽  
Do So

Abstract—Cloud computing has been the trending model for storing, accessing and modifying the data over the Internet in the recent years. Rising use of the cloud has generated a new concept related to the cloud which is cloud forensics. Cloud forensics can be defined as investigating for evidence over the cloud, so it can be viewed as a combination of both cloud computing and digital forensics. Many issues of applying forensics in the cloud have been addressed. Isolating the location of the incident has become an essential part of forensic process. This is done to ensure that evidence will not be modified or changed.  Isolating an instant in the cloud computing has become even more challenging, due to the nature of the cloud environment. In the cloud, the same storage or virtual machine have been used by many users. Hence, the evidence is most likely will be overwritten and lost. The proposed solution in this paper is to isolate a cloud instance. This can be achieved by marking the instant that reside in the servers as "Under Investigation". To do so, cloud file system must be studied. One of the well-known file systems used in the cloud is Apache Hadoop Distributed File System (HDFS). Thus, in this paper the methodology used for isolating a cloud instance would be based on the HDFS architecture. Keywords: cloud computing; digital forensics; cloud forensics

Sign in / Sign up

Export Citation Format

Share Document