Research Article
Finding Forensic Information on Creating a Folder in $LogFile of NTFS
@INPROCEEDINGS{10.1007/978-3-642-35515-8_18, author={Gyu-Sang Cho and Marcus Rogers}, title={Finding Forensic Information on Creating a Folder in \textdollar{}LogFile of NTFS}, proceedings={Digital Forensics and Cyber Crime. Third International ICST Conference, ICDF2C 2011, Dublin, Ireland, October 26-28, 2011, Revised Selected Papers}, proceedings_a={ICDF2C}, year={2012}, month={12}, keywords={computer forensics timestamp \textdollar{}LogFile NTFS}, doi={10.1007/978-3-642-35515-8_18} }- Gyu-Sang Cho
Marcus Rogers
Year: 2012
Finding Forensic Information on Creating a Folder in $LogFile of NTFS
ICDF2C
Springer
DOI: 10.1007/978-3-642-35515-8_18
Abstract
The NTFS journaling file($LogFile) is used to keep the file system clean in the event of a system crash or power failure. The log records operate on files or folders and leaves large amounts of information in the $LogFile. This information can be used to reconstruct operations and can also be used as forensic evidence. In this research, we present methods for collecting forensic evidence of timestamps and folder names relating to a folder’s creation. In some of the related log records for creating a folder, four log records that have timestamps and folder name information that are 0x0E/0x0F(Redo/Undo op. code), 0x02/0x00, 0x08/0x00, and 0x14/0x14 were analyzed. Unfortunately, the structure of $LogFile is not well known or documented. As a result the researchers used reverse engineering in order to gain a better understanding of the log record structures. The study found that using basic information contained in the $LogFile, a forensic reconstruction of timestamp events could be created.