NTFS Directory Index Analysis for Computer Forensics

Abstract

This work provides a forensic analysis method for a directory index in NTFS file system. NTFS employed B-tree indexing for providing efficient storage of many files and fast lookups, which changes in a structure of the directory index when files are operated. As a forensic view point, we observe behaviors of the B-tree to analyze files that once existed in the directory. However, it is difficult to analyze the allocated index entry when the file commands are executed. So, this work treats a forensic method for a directory index, especially when there are a large number of files in the directory. The index entry records are naturally expanded, then we examine how the index entry records are configured in the index tree. And we provide information that how the directory index nodes are changed and how the index entries remain traces in the index entry record with a computer forensic point of view when the files are deleted.