Digital Forensics and Cyber Crime. 4th International Conference, ICDF2C 2012, Lafayette, IN, USA, October 25-26, 2012, Revised Selected Papers

Research Article

Investigating File Encrypted Material Using NTFS $logfile

Download
658 downloads
Cite
BibTeX Plain Text
  • @INPROCEEDINGS{10.1007/978-3-642-39891-9_12,
    author={Niall McGrath and Pavel Gladyshev},
    title={Investigating File Encrypted Material Using NTFS \textdollar{}logfile},
    proceedings={Digital Forensics and Cyber Crime. 4th International Conference, ICDF2C 2012, Lafayette, IN, USA, October 25-26, 2012, Revised Selected Papers},
    proceedings_a={ICDF2C},
    year={2013},
    month={10},
    keywords={NTFS \textdollar{}logfile file MAC Times Encryption},
    doi={10.1007/978-3-642-39891-9_12}
}
  • Niall McGrath
    Pavel Gladyshev
    Year: 2013
    Investigating File Encrypted Material Using NTFS $logfile
    ICDF2C
    Springer
    DOI: 10.1007/978-3-642-39891-9_12
Niall McGrath1, Pavel Gladyshev1
  • 1: University College Dublin

Abstract

When an encrypted file is discovered during a digital investigation and the investigator cannot decrypt the file then s/he is faced with the problem of how to determine evidential value from it. This research is proposing a methodology for locating the original plaintext file that was encrypted on a hard disk drive. The technique also incorporates a method of determining the associated plaintext contents of the encrypted file. This is achieved by characterising the file-encryption process as a series of file I/O operations and correlating those operations with the corresponding events in the NTFS $logfile file. The occurrence of these events has been modelled and generalised to investigate file-encryption. This resulted in the automated analysis of $logfile in software.

Keywords
NTFS $logfile file MAC Times Encryption
Published
2013-10-08
http://dx.doi.org/10.1007/978-3-642-39891-9_12
Copyright © 2012–2024 ICST
EAI Logo

About EAI

Community

Publish with EAI