Research Article
Investigating File Encrypted Material Using NTFS $logfile
@INPROCEEDINGS{10.1007/978-3-642-39891-9_12, author={Niall McGrath and Pavel Gladyshev}, title={Investigating File Encrypted Material Using NTFS \textdollar{}logfile}, proceedings={Digital Forensics and Cyber Crime. 4th International Conference, ICDF2C 2012, Lafayette, IN, USA, October 25-26, 2012, Revised Selected Papers}, proceedings_a={ICDF2C}, year={2013}, month={10}, keywords={NTFS \textdollar{}logfile file MAC Times Encryption}, doi={10.1007/978-3-642-39891-9_12} }- Niall McGrath
Pavel Gladyshev
Year: 2013
Investigating File Encrypted Material Using NTFS $logfile
ICDF2C
Springer
DOI: 10.1007/978-3-642-39891-9_12
Abstract
When an encrypted file is discovered during a digital investigation and the investigator cannot decrypt the file then s/he is faced with the problem of how to determine evidential value from it. This research is proposing a methodology for locating the original plaintext file that was encrypted on a hard disk drive. The technique also incorporates a method of determining the associated plaintext contents of the encrypted file. This is achieved by characterising the file-encryption process as a series of file I/O operations and correlating those operations with the corresponding events in the NTFS $logfile file. The occurrence of these events has been modelled and generalised to investigate file-encryption. This resulted in the automated analysis of $logfile in software.