Towards a practical usage for the Sleuth Kit supporting file system add-ons

IF 2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation Pub Date : 2024-07-13 DOI:10.1016/j.fsidi.2024.301799

Yeonghun Shin , Taeshik Shon

{"title":"Towards a practical usage for the Sleuth Kit supporting file system add-ons","authors":"Yeonghun Shin , Taeshik Shon","doi":"10.1016/j.fsidi.2024.301799","DOIUrl":null,"url":null,"abstract":"<div><p>Most modern digital devices with storage utilize a file system to manage files and directories. Consequently, when digital forensic investigators derive evidence from such devices, they collect and analyze data stored on them through file system analysis. However, there are numerous types of file systems, with new ones continually being developed. Each file system possesses a distinct metadata structure and file management system. Therefore, investigators must possess prior knowledge of the specific file system being examined. Nevertheless, it is challenging for practitioners to be knowledgeable about all existing file systems. To address this issue, forensic software such as The Sleuth Kit (TSK), an open-source forensic tool, is employed for investigations. However, even these tools may not offer complete support for relatively recent file systems.</p><p>Hence, we propose a structure for integrating a new file system into the open-source forensic tool TSK. Additionally, to validate this proposed structure, we demonstrate that support for five file systems (Ext4, XFS, Btrfs, F2FS, and Hikvision) can be added following this framework. To achieve this, we conducted an analysis of the metadata and file management scheme for these five file systems. Furthermore, we examined the operational procedures of the TSK framework. Based on these analyses, investigation capabilities for the five file systems have been incorporated into TSK. Moreover, reliability verification experiments were conducted on the developed tools; and performance evaluation was carried out in comparison with other commercial digital forensic tools. The findings of this study can serve as a foundation for future forensic studies based on file systems. Additionally, the TSK developed based on the proposed structure can assist investigators in conducting digital forensics effectively.</p></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":null,"pages":null},"PeriodicalIF":2.0000,"publicationDate":"2024-07-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Forensic Science International-Digital Investigation","FirstCategoryId":"3","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2666281724001239","RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Most modern digital devices with storage utilize a file system to manage files and directories. Consequently, when digital forensic investigators derive evidence from such devices, they collect and analyze data stored on them through file system analysis. However, there are numerous types of file systems, with new ones continually being developed. Each file system possesses a distinct metadata structure and file management system. Therefore, investigators must possess prior knowledge of the specific file system being examined. Nevertheless, it is challenging for practitioners to be knowledgeable about all existing file systems. To address this issue, forensic software such as The Sleuth Kit (TSK), an open-source forensic tool, is employed for investigations. However, even these tools may not offer complete support for relatively recent file systems.

Hence, we propose a structure for integrating a new file system into the open-source forensic tool TSK. Additionally, to validate this proposed structure, we demonstrate that support for five file systems (Ext4, XFS, Btrfs, F2FS, and Hikvision) can be added following this framework. To achieve this, we conducted an analysis of the metadata and file management scheme for these five file systems. Furthermore, we examined the operational procedures of the TSK framework. Based on these analyses, investigation capabilities for the five file systems have been incorporated into TSK. Moreover, reliability verification experiments were conducted on the developed tools; and performance evaluation was carried out in comparison with other commercial digital forensic tools. The findings of this study can serve as a foundation for future forensic studies based on file systems. Additionally, the TSK developed based on the proposed structure can assist investigators in conducting digital forensics effectively.

查看原文本刊更多论文

实现支持文件系统附加组件的 Sleuth Kit 的实际用途

大多数现代数字存储设备都使用文件系统来管理文件和目录。因此，当数字取证调查人员从这些设备中获取证据时，他们会通过文件系统分析来收集和分析存储在这些设备中的数据。然而，文件系统种类繁多，新的文件系统也在不断开发中。每种文件系统都拥有独特的元数据结构和文件管理系统。因此，调查人员必须事先了解要检查的特定文件系统。然而，对从业人员来说，了解所有现有文件系统是一项挑战。为了解决这个问题，调查人员使用了开放源码取证工具 The Sleuth Kit (TSK) 等取证软件。因此，我们提出了一种将新文件系统集成到开源取证工具 TSK 中的结构。因此，我们提出了一种将新文件系统集成到开源取证工具 TSK 中的结构。此外，为了验证所提出的结构，我们演示了根据该框架可以添加对五种文件系统（Ext4、XFS、Btrfs、F2FS 和 Hikvision）的支持。为此，我们对这五个文件系统的元数据和文件管理方案进行了分析。此外，我们还检查了 TSK 框架的操作程序。基于这些分析，这五个文件系统的调查功能已被纳入 TSK。此外，我们还对开发的工具进行了可靠性验证实验，并与其他商业数字取证工具进行了性能评估比较。本研究的结果可作为未来基于文件系统的取证研究的基础。此外，基于所建议的结构开发的 TSK 可以帮助调查人员有效地进行数字取证。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Forensic Science International-Digital Investigation Multiple-

CiteScore

5.90

自引率

15.00%

发文量

审稿时长

76 days