{"title":"NTFS Directory Index Analysis for Computer Forensics","authors":"Gyusang Cho","doi":"10.1109/IMIS.2015.68","DOIUrl":null,"url":null,"abstract":"This work provides a forensic analysis method for a directory index in NTFS file system. NTFS employed B-tree indexing for providing efficient storage of many files and fast lookups, which changes in a structure of the directory index when files are operated. As a forensic view point, we observe behaviors of the B-tree to analyze files that once existed in the directory. However, it is difficult to analyze the allocated index entry when the file commands are executed. So, this work treats a forensic method for a directory index, especially when there are a large number of files in the directory. The index entry records are naturally expanded, then we examine how the index entry records are configured in the index tree. And we provide information that how the directory index nodes are changed and how the index entries remain traces in the index entry record with a computer forensic point of view when the files are deleted.","PeriodicalId":144834,"journal":{"name":"2015 9th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing","volume":"22 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2015-07-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"10","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2015 9th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IMIS.2015.68","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 10
Abstract
This work provides a forensic analysis method for a directory index in NTFS file system. NTFS employed B-tree indexing for providing efficient storage of many files and fast lookups, which changes in a structure of the directory index when files are operated. As a forensic view point, we observe behaviors of the B-tree to analyze files that once existed in the directory. However, it is difficult to analyze the allocated index entry when the file commands are executed. So, this work treats a forensic method for a directory index, especially when there are a large number of files in the directory. The index entry records are naturally expanded, then we examine how the index entry records are configured in the index tree. And we provide information that how the directory index nodes are changed and how the index entries remain traces in the index entry record with a computer forensic point of view when the files are deleted.