Abstract
The NTFS journaling file($LogFile) is used to keep the file system clean in the event of a system crash or power failure. The log records operate on files or folders and leaves large amounts of information in the $LogFile. This information can be used to reconstruct operations and can also be used as forensic evidence. In this research, we present methods for collecting forensic evidence of timestamps and folder names relating to a folder’s creation. In some of the related log records for creating a folder, four log records that have timestamps and folder name information that are 0x0E/0x0F(Redo/Undo op. code), 0x02/0x00, 0x08/0x00, and 0x14/0x14 were analyzed. Unfortunately, the structure of $LogFile is not well known or documented. As a result the researchers used reverse engineering in order to gain a better understanding of the log record structures. The study found that using basic information contained in the $LogFile, a forensic reconstruction of timestamp events could be created.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Russinovich, M.E., Solomon, D.A.: Microsoft Windows Internals, 4th edn., pp. 733–774. Microsoft Press (2005)
Carrier, B.: File System Forensic Analysis, pp. 273–396. Addison-Wesley (2005)
Dreher, K.: NTFS. Master Thesis of Department of Information Technology Institute of technology, Lund, Sweden (November 1998)
Singireddy, P.: Recoverability Support in NT File System (NTFS), http://www.eas.asu.edu/~cse532/ or http://www.docstoc.com/docs/28691891/ntfs_mod/
Cho, G.S.: An Analysis of NTFS Journal File for a Computer Forensic. Digital Forensic Research 3(1), 51–60 (2009)
Kim, T.H., Cho, G.S.: A Digital Forensic Method for File Creation using Journal File of NTFS. Journal of KSDIM 6(2), 107–118 (2010)
Data Integrity and Recoverability with NTFS, http://www.ntfs.com
Transaction log supports NTFS recoverability, http://support.microsoft.com/kb/101670
NTFS Documentation, http://www.linux-ntfs.org
Russon, R.: NTFS Documentation (2009), http://www.linux-ntfs.org
Naik, D.C.: Inside Windows Storage, ch. 6.5. Addison Wesley (July 2003)
Casey, E.: Uncertainty and Loss in Digital Evidence. International Journal of Digital Evidence 1(2) (Summer 2002)
Boyd, C., Forster, P.: Time and Date Issues in Forensic Computing – A Case Study. Digital Investigation 1(1), 18–23 (2004)
Chow, K.P., et al.: The Rules of Time on NTFS File System. In: SADFE, pp. 71–85 (March 2007)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
Cho, GS., Rogers, M.K. (2012). Finding Forensic Information on Creating a Folder in $LogFile of NTFS. In: Gladyshev, P., Rogers, M.K. (eds) Digital Forensics and Cyber Crime. ICDF2C 2011. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 88. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-35515-8_18
Download citation
DOI: https://doi.org/10.1007/978-3-642-35515-8_18
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-35514-1
Online ISBN: 978-3-642-35515-8
eBook Packages: Computer ScienceComputer Science (R0)