Digital Forensics and Cyber Crime. 4th International Conference, ICDF2C 2012, Lafayette, IN, USA, October 25-26, 2012, Revised Selected Papers

Research Article

Investigating File Encrypted Material Using NTFS $logfile

Download161 downloads
  • @INPROCEEDINGS{10.1007/978-3-642-39891-9_12,
        author={Niall McGrath and Pavel Gladyshev},
        title={Investigating File Encrypted Material Using NTFS \textdollar{}logfile},
        proceedings={Digital Forensics and Cyber Crime. 4th International Conference, ICDF2C 2012, Lafayette, IN, USA, October 25-26, 2012, Revised Selected Papers},
        proceedings_a={ICDF2C},
        year={2013},
        month={10},
        keywords={NTFS \textdollar{}logfile file MAC Times Encryption},
        doi={10.1007/978-3-642-39891-9_12}
    }
    
  • Niall McGrath
    Pavel Gladyshev
    Year: 2013
    Investigating File Encrypted Material Using NTFS $logfile
    ICDF2C
    Springer
    DOI: 10.1007/978-3-642-39891-9_12
Niall McGrath1, Pavel Gladyshev1
  • 1: University College Dublin

Abstract

When an encrypted file is discovered during a digital investigation and the investigator cannot decrypt the file then s/he is faced with the problem of how to determine evidential value from it. This research is proposing a methodology for locating the original plaintext file that was encrypted on a hard disk drive. The technique also incorporates a method of determining the associated plaintext contents of the encrypted file. This is achieved by characterising the file-encryption process as a series of file I/O operations and correlating those operations with the corresponding events in the NTFS $logfile file. The occurrence of these events has been modelled and generalised to investigate file-encryption. This resulted in the automated analysis of $logfile in software.