Digital Forensics and Cyber Crime. Third International ICST Conference, ICDF2C 2011, Dublin, Ireland, October 26-28, 2011, Revised Selected Papers

Research Article

Finding Forensic Information on Creating a Folder in $LogFile of NTFS

Download68 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-35515-8_18,
        author={Gyu-Sang Cho and Marcus Rogers},
        title={Finding Forensic Information on Creating a Folder in \textdollar{}LogFile of NTFS},
        proceedings={Digital Forensics and Cyber Crime. Third International ICST Conference, ICDF2C 2011, Dublin, Ireland, October 26-28, 2011, Revised Selected Papers},
        proceedings_a={ICDF2C},
        year={2012},
        month={12},
        keywords={computer forensics timestamp \textdollar{}LogFile NTFS},
        doi={10.1007/978-3-642-35515-8_18}
    }
    
  • Gyu-Sang Cho
    Marcus Rogers
    Year: 2012
    Finding Forensic Information on Creating a Folder in $LogFile of NTFS
    ICDF2C
    Springer
    DOI: 10.1007/978-3-642-35515-8_18
Gyu-Sang Cho,*, Marcus Rogers
    *Contact email: chog@purdue.edu

    Abstract

    The NTFS journaling file($LogFile) is used to keep the file system clean in the event of a system crash or power failure. The log records operate on files or folders and leaves large amounts of information in the $LogFile. This information can be used to reconstruct operations and can also be used as forensic evidence. In this research, we present methods for collecting forensic evidence of timestamps and folder names relating to a folder’s creation. In some of the related log records for creating a folder, four log records that have timestamps and folder name information that are 0x0E/0x0F(Redo/Undo op. code), 0x02/0x00, 0x08/0x00, and 0x14/0x14 were analyzed. Unfortunately, the structure of $LogFile is not well known or documented. As a result the researchers used reverse engineering in order to gain a better understanding of the log record structures. The study found that using basic information contained in the $LogFile, a forensic reconstruction of timestamp events could be created.