Time Rules for NTFS File System for Digital Investigation

Similar documents
Digital Forensics method to analyze various data hiding spaces in NTFS file system

CSN08101 Digital Forensics. Module Leader: Dr Gordon Russell Lecturers: Robert Ludwiniak

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 6 Working with Windows and DOS Systems

File System Concepts File Allocation Table (FAT) New Technology File System (NTFS) Extended File System (EXT) Master File Table (MFT)

Machine Language and System Programming

Chapter Two File Systems. CIS 4000 Intro. to Forensic Computing David McDonald, Ph.D.

Vorlesung Computerforensik. Kapitel 7: NTFS-Analyse

NTFS Fundamentals. [Kevin s Attic for Security Research]

ANALYSIS AND VALIDATION

File System Interpretation

Computer Forensics: Investigating Data and Image Files, 2nd Edition. Chapter 3 Forensic Investigations Using EnCase

Windows File System. File allocation table (FAT) NTFS - New Technology File System. used in Windows 95, and MS-DOS

Advanced Operating Systems

On-disk filesystem structures

COMP091 Operating Systems 1. File Systems

COMPARATIVE STUDY OF TWO MODERN FILE SYSTEMS: NTFS AND HFS+

Table 12.2 Information Elements of a File Directory

File Systems. Martin Děcký. DEPARTMENT OF DISTRIBUTED AND DEPENDABLE SYSTEMS

Testing the Date Maintenance of the File Allocation Table File System

THOMAS RUSSELL, Information Technology Teacher

Time attributes. User behaviors. Crime Scene

AccessData Advanced Forensics

FORENSIC ANALYSIS OF RESILIENT FILE SYSTEM IN WINDOWS SERVER 2012

File Systems. What do we need to know?

A Formal Logic for Digital Investigations: A Case Study Using BPB Modifications.

NTFS Recoverability. CS 537 Lecture 17 NTFS internals. NTFS On-Disk Structure

ECCouncil Computer Hacking Forensic Investigator (V8)

makes floppy bootable o next comes root directory file information ATTRIB command used to modify name

Vendor: ECCouncil. Exam Code: EC Exam Name: Computer Hacking Forensic Investigator Exam. Version: Demo

Adam Harrison Principal Consultant - Verizon VTRAC

Understanding FAT12. Introduction to Computer Forensics. Kessler/Schirling

Multi-version Data recovery for Cluster Identifier Forensics Filesystem with Identifier Integrity

Hard facts. Hard disk drives

Forensic Timeline Splunking. Nick Klein

An Analysis of Local Security Authority Subsystem

ABSTRACT. Forensic analysis is the process of searching for evidence and preserving it for further

Practice Test. Guidance Software GD Guidance Software GD0-110 Certification Exam for EnCE Outside North America. Version 1.6

What does a file system do?

Installing and Configuring Windows 7 Client

A+ Guide to Managing and Maintaining your PC, 6e. Chapter 2 Introducing Operating Systems

A+ Guide to Managing and Maintaining Your PC. How Hardware and Software Work Together

Computer Systems. Assembly Language for x86 Processors 6th Edition, Kip Irvine

Computer Hacking Forensic Investigator. Module X Data Acquisition and Duplication

CSE 4482 Computer Security Management: Assessment and Forensics. Computer Forensics: Working with Windows and DOS Systems

Windows 7 on the 2009 A+ Exams

15: Filesystem Examples: Ext3, NTFS, The Future. Mark Handley. Linux Ext3 Filesystem

Binary Markup Toolkit Quick Start Guide Release v November 2016

Character Recognition of High Security Number Plates Using Morphological Operator

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

TZWorks NTFS Copy Utility (ntfscopy) Users Guide

Acronis Disk Director 11 Home. Quick Start Guide

Filesystem. Disclaimer: some slides are adopted from book authors slides with permission

A Physical and Communication Parameter Based Vertical Handover in Hybrid Vehicular Network

A Study on Linux. Forensics By: Gustavo Amarchand, Keanu. Munn, and Samantha Renicker 11/1/2018

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment, Enhanced. Chapter 7: Advanced File System Management

Course 832 EC-Council Computer Hacking Forensic Investigator (CHFI)

Operating Systems. Lecture File system implementation. Master of Computer Science PUF - Hồ Chí Minh 2016/2017

IT ESSENTIALS V. 4.1 Module 5 Fundamental Operating Systems

Digital Forensics Practicum CAINE 8.0. Review and User s Guide

The FAT File System. 1. FAT Overview. 2. Boot Sector, FAT, Root Directory, and Files The FAT F 䤀耄 le System

ECE 598 Advanced Operating Systems Lecture 14

Defeating Forensic Analysis

File systems Computer Forensics

ECE 598 Advanced Operating Systems Lecture 18

Detecting the use of TrueCrypt

About the Presentations

KillTest 䊾 䞣 催 ࢭ ད ᅌ㖦䊛 ᅌ㖦䊛 NZZV ]]] QORRZKYZ TKZ ϔᑈܡ䊏 ᮄ ࢭ

ACCESSDATA SUPPLEMENTAL APPENDIX

Source:

Financial Forensic Accounting

Computers: Tools for an Information Age. System Software

IBM Spectrum Protect HSM for Windows Version Administration Guide IBM

NTFS File System and Data Security. Yanhui Tu. KingSoft

Exam Number/Code: Exam Name: Computer Hacking. Version: Demo. Forensic Investigator.

Chapter 5 EVALUATION OF REGISTRY DATA REMOVAL BY SHREDDER PROGRAMS. 1. Introduction. Harry Velupillai and Pontjho Mokhonoana

Chapter 1: Windows Platform and Architecture. You will learn:

Digital Forensics Lecture 01- Disk Forensics

NIST SP Notes Guide to Integrating Forensic Techniques into Incident Response

Directory Structure and File Allocation Methods

Windows Core Forensics Forensic Toolkit / Password Recovery Toolkit /

COPYRIGHTED MATERIAL. Contents. Assessment Test

Unit OS8: File System

Windows 2000 Professional

Digital Investigation

File System Case Studies. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Regardless of the size and complexity of the computer and the operating system, all operating systems perform the same four basic functions:

Operating Systems: Lecture 12. File-System Interface and Implementation

COMPUTER FORENSICS THIS IS NOT CSI COLORADO SPRINGS. Frank Gearhart, ISSA Colorado Springs

Guide to Computer Forensics and Investigations Fourth Edition. Chapter 2 Understanding Computer Investigations

File Shredders. and, just what is a file?

Files. File Structure. File Systems. Structure Terms. File Management System. Chapter 12 File Management 12/6/2018

Example Implementations of File Systems

Robust Descriptive Statistics Based PSO Algorithm for Image Segmentation

AccessData Imager Release Notes

Project 3 Help Document

File System NTFS. Section Seven. NTFS, EFS, Partitioning, and Navigating Folders

3 INSTALLING WINDOWS XP PROFESSIONAL

8/31/2015 BITS BYTES AND FILES. What is a bit. Representing a number. Technically, it s a change of voltage

An Efficient Approach for Color Pattern Matching Using Image Mining

Forensics on the Windows Platform, Part Two by Jamie Morris last updated February 11, 2003

Transcription:

Time Rules for NTFS File System for Digital Investigation Tejpal Sharma 1, Manjot Kaur 2 ¹ Assitant Professsor,Deptt. of Computer science and Engg. CGC-College of Engg., Landran Mohali (Punjab), India ² Assitant Professsor,Deptt. of Computer science and Engg. Khalsa College for Women, Amritsar,(Punajb), India Abstract Computer forensics (also known as cyber forensics) is a branch of forensic science that employs various analysis techniques to verify the facts and obtain the evidence related to computer crimes. The aim of computer forensics is to prevent computer related crimes by acquiring, analyzing and presenting the facts related to the crime. Computer forensics has been an extremely useful in solving various crimes related to cyber world. The main focus of research in this paper is analysis of files used in windows system. The creation, last written, last accessed and MFT modification of a file are an important factor that indicates the events that have affected a computer system. The form of the information varies with the file system and the information changes the features, depending on the user s actions such as copy, transfer or rename of files. Keywords : analysis, MAC s, File system, NTFS, Digital Investigation. I. INTRODUCTION Computer forensic process is the process which is used to analyse the digital media like hard disk for the forensic process and then acquire the evidences from that media that may be helpful to solve the cyber crime case in which that hard disk involves. A. NTFS File System: NTFS is New Technology File System that determines naming, storing and organizing of data on a hard disk drive. This file system comes under window operating system which an upgrade from FAT file system and offers better performance and reliability such as file encryption, disk quota and also provide higher level security to the user [2,9]. Figure 1. Basic organization of NTFS file system Tejpal Sharma, Assitant Professsor, Deptt. of Computer science and Engg., CGC-College of Engg., Landran Mohali (Punjab), India Manjot Kaur, Assitant Professsor, Deptt. of Computer science and Engg. Khalsa College for Women, Amritsar,(Punajb), India., The above figure describes that each NTFS partition has its first sector as the boot sector that contains the important information about the data and metadata stored on the disk. It contains information about the file system, version of the file system, boot code, starting cluster of MFT, MirrMFT, number of bytes 1146

in a sector and number of sectors in a cluster and some other information [2]. As said earlier we can get starting cluster of MFT from the boot sector and at that starting cluster we get 12 MFT entries reserved. These entries starts from 0 and end with 11.Each MFT entry is of 1024 bytes (size is given in the boot sector of partition).first entry is MFT entry ($MFT) itself. Each MFT entry contains header and attribute part. Its header is of 42 bytes and remaining part contains the attributes [2]. And the remaining part contains the attributes of MFT that describe about the file name, status of file, timing information of file, data of file etc. These attributes are listed in the table with their hex values [2]. TABLE 1 ATTRIBUTES OF MFT WITH THEIR HEX VALUES ATTRIBUTE NAME STANDARD_INFORMATION FILE_NAME OBJECT_ID SECURITY_DESCRIPTOR VOLUME_NAME VOLUME_INFORMATION DATA INDEX_ROOT INDEX_ALLOCATION BITMAP EA_INFORMATION EA LOG_UTILITY_STREAM B. Description of attributes: HEXADECIMAL VALUE 0x10 0x30 0x40 0x50 0x60 0x70 0x80 0x90 0xA0 0xB0 0xD0 0xE0 0x100 1. STANDARD_INFORMATION: It is the attribute that contains information about the creation, last modification, entry modification and about the last access of file and also provided ownership and security information of the file [2]. 2. ATTRIBUTE_LIST: It gives the information about all the attributes in the MFT. 3. FILE_NAME: This attribute provides information about the four timing fields as given in the first attribute. It also contains information about the name of file, size allocated to file and actual size of file. 4. VOLUME_VERSION: It contains information about the volumes of file system. Version is divided into two parts major version and minor version. It exists in window NT. 5. VOLUME_NAME: It contains the name of volume. 6. VOLUME_INFORMATION: It contains information about file system version. 7. DATA: It the main attribute of the file MFT that contains information about the data or if file size is very small then data of file is stored in data attribute of file. When size is large does not fit in attribute then data is stored on the external clusters [2]. 8. INDEX_ROOT: it contains information about the root directory of the file system. 9. INDEX_ALLOCATION: Large entries does not fit in the root directories then they need non-resident attributes to store their directory structure so this attribute is used to large directory structures. 10. EA_INFORMATION: information about the backward compatibility of operating system applications [2] C. Time Analysis: The file system is organized into a stream data and a metadata. The metadata is controlled by the different structures of the file system. The analysis of files can be performed from the timing information of the files that may lead to solve various cyber crime cases. When user executes any action on the files then its creation, modification and access changes, which are helpful for computer forensic analysis of file system. There, are two attribute used in analysis of NTFS file system and these are: $STANDARD_INFORMATION and $FILE_NAME. These attribute are useful for analysis of NTFS file system [1]. These contain information about: - CREATION TIME - LAST ACCESS TIME 1147

- MODIFICATION TIME - ENTRY MODIFICATION TIME II. LITERATURE SURVEY The temporal analysis is also very useful in digital forensics. Chow et al. [3] suggested a technique that is useful for analysis of files in NTFS. They first make their observation on the change of timing parameters when actions are performed on the data. Then they created their rule according to their observation and rules are checked on different scenarios. They created 10 scenarios for the files and folders for examining them. In this way they concentrated on the modification access and creation of the files. And then these are compared with the created scenario and evidences are collected based on their search. Timestamp forgery in NTFS file system is performed by Gyu-Sang Cho. In which they worked on the three different document files, txt, docx and pdf file for their analysis and produced various rules [8]. III. Timing analysis of files: RESEARCH ANALYSIS We made our observation on the basis of actions performed on the file system. We concentrate on the timing information of the files those are very helpful to track user action on the files. Mainly two attributes are analyzed in this observation one is $STANDARD_INFORMATION and second is $FILE_NAME attribute. The changes in these two attributes are observed and rules are created according to them. We analyze the changes and then perform the actions on the files [3, 8]. The analysis is performed by using two tools: Disk Explorer 4.25 and DMDE 2.4.2. Rules and observation result according to user actions on the files: This analysis process is performed on Microsoft windows 7 ultimate, vista home premium and windows XP service pack 2. 1. Rules for Changes in fields with various user actions on files windows 7 TABLE 2 CHANGES IN TIME FIELDS WITH VARIOUS USER ACTIONS ON FILES (RULES FOR WINDOWS 7) creation Last Modification Entry Last modification Access Rule $FN * creation $FN * last Modification $FN * Entry $FN * last modification Access 1. File creation Creation Creation Creation Creation Creation Creation Creation Creation 2. File transfer in No change No change Transfer No change same volume 3. File transfer in different volume 4. File copy in same volume Original file creation Original file Copy Copy modification Copy Copy Copy Copy Copy Modification of Copy Copy original file Copy Copy Copy Copy 1148

5. File copy in different volume International Journal of Advanced Research in Computer Engineering & Technology (IJARCET) Copy Last Modification of original file Copy Copy Copy Copy Copy Copy 6. Editing in file No change Modification Modification No change 7. Access to file No change No change Last access No change 8. Renaming file No change No change Name change No change 9. Extraction of file compressed zipped file from $SI Creation before name change $SI modification before the name change $SI modification before change entry name $SI access Last before name change Extraction Creation Extraction Extraction Extraction Extraction Extraction Extraction 10. Restoration of No change No change Restoration No change file from $SI Creation $SI modification Deletion $SI Last recycle bin before deletion before deletion access before deletion 11. File replace Old file creation Replacement Replacement Old file creation Old file creation Old file creation Old file creation Old file creation 12. Attachment of file to email 13. Property No change No change Property change No change change of file 14. Download file Download Download Download Download Download Download Download Download Note: # :-$STANDARD_INFORMATION attribute and * :- FILE_NAME attribute 1149

2. Rules for Changes in fields with various user actions on files in windows vista (All other rules are same as window 7 table) TABLE 3 CHANGES IN TIME FIELDS WITH VARIOUS USER ACTIONS ON FILES (RULES FOR WINDOWS XP) creation Last Entry Last Modification modification Access Rule $FN * creation $FN * last $FN * Entry $FN * last Modification modification Access 6.Editing in file No change No change Edit No change 9.Extraction of file from compressed zipped file No change No change Extraction No change Extraction Extraction Extraction Extraction 3. Rules for Changes in fields with various user actions on files in windows Xp (Other rules are same as windows 7 table) TABLE 4. CHANGES IN TIME FIELDS WITH VARIOUS USER ACTIONS ON FILES (RULES FOR WINDOWS XP) creation Last Entry Last Modification modification Access Rule $FN * creation $FN * last $FN * Entry $FN * last Modification modification Access 3.File transfer in No change No change No change Copy different volume Copy Copy Copy Copy 4.File copy in same Copy No change No change Copy volume Copy Copy Copy Copy 5.File copy in Copy No change No change Copy different volume Copy Copy Copy Copy 6.Editing in file No change Edit Edit Edit 9.Extraction of file No change No change Extraction No change from compressed Extraction Extraction Extraction Extraction zipped file 1150

11.File replace Old file creation Last modification Last entry Replacement of modification Replacement file of Replacement file Old file creation Old file Old file entry Old file modification modification access IV. CONCLUSION AND FUTURE SCOPE From the research work it is concluded that, doubtful files are analysed according to their timing fields. User actions on the files are detected according to their creation, modification, entry modification and access of the files. Analysis is performed on window s 7, window s vista and window s xp. 14 rules are created for the analysis purpose of NTFS files that can be used to detect user action on files. Window s 7 and Window s vista has maximum same rules but windows xp have some difference. For future work analysis of files of various Linux based operating systems can be performed to detect actions performed on files. REFERENCES [1] Bang, J., Yoo, B., Kim, J. and Lee S., 2009. Analysis of information for digital investigation, Fifth international joint conference on In, IMS and IDC, IEEE conference 2009, pp 1858-1864. [2] Carrier, B., 2005. File system forensic analysis Publishers: Addison Wesley Professional, March 17, 2005, ISBN: 0-32-126812-2. [3] Chow, K.P., Kawan, M.Y. K., Law, F. Y. W. and Lai, K.Y., 2007. The rules of on NTFS system, In Proceedings of Systematic Approaches to Digital Forensic Engineering, Department of computer Science, The university of Hong Kong. [4] Davis, J., MacLean, J. and Dampier, D., 2010. Methods of information hiding and detection in file systems, Fifth international workshop on systematic approaches to digital forensic engineering, IEEE conference, pp 66-69. [5] DEFINING ISSUES: FORENSIC TECHNOLOGY, Proactive Forensics, KPMG cutting through complexity 2013, pp 1-2. [6] DMDE 2.4.2. Free Edition- Disk Editor, Dmitry Sidorov, last accessed march, 2015, http://softdm.com/ [7] Disk Explorer 4.25 for NTFS file system, Run software, Laser accessed March, 2015, http://www.run.org/ [8] Gyu-Sang Cho, 2013. A computer forensic method for detecting stamp forgery in NTFS, computers and security 2013, pp 36-46. [9] Kai, Z., En, C. and Qinquan, G., 2010. Analysis and Implementation of NTFS file system based on computer forensics, Second international workshop on education technology and computer science, IEEE conference, pp 325-328. [10] Naiqi, Lu. Zhongshan, W., Yujie, H. and Qunke,2008. Computer forensics research and implementation based on NTFS file system,2008 ISECS International colloquium on computing, communication, control and management, IEEE conference, pp 519-523. [11] Patel, Pratik. And Mishra, Shailendra. Detecting stamp forgery in NTFS file system using log file, International Journal of Engineering Development and Research 2014, Vol. 2, Issue 3 ISSN: 2321-9939, pp 3224-3227. [12] Pollitt, M., 1995. Computer Forensics: an Approach to Evidence in Cyberspace, Proceedings of the National Information Systems Security Conference, Baltimore, Vol. 2, pp 487-491. Tejpal Sharma received the B.Tech degree in Computer Science and Engineering and M.Tech degree in E-Security from Baba Banda Singh Bahadur Engineering College, Fatehgarh Sahib (Punjab). Presently working as Assistant Professor in Chandigarh Group of Colleges Landran, Mohali (Punjab). India. Manjot Kaur received the B.Tech.degree in Computer Science from Rayat Institute of Engineering and Technology and M.Tech. degree in E-Security from Baba Banda Singh Bahadur Engineering College, respectively. Presently working as Assistant Professor in Khalsa College for Women Amritsar(Punjab), India. 1151

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback