• Interpretation of File System Metadata in a Criminal Investigation Context 

      Nordvik, Rune (Doctoral theses at NTNU;2024:115, Doctoral thesis, 2024)
      The reliable reconstruction of digital events is imperative for solving criminal cases. Computers, servers, mobile and IoT devices, vehicles, and EV charging infrastructure all use either local or remote storage (cloud). ...
    • Legal and technical questions of file system reverse engineering 

      Stoykova, Radina; Nordvik, Rune; Ahmed, Munnazzar; Franke, Katrin; Axelsson, Stefan; Toolan, Fergus (Peer reviewed; Journal article, 2022)
      Reverse engineering of file systems is indispensable for tool testing, accurate evidence acquisition, and correct interpretation of data structures by law enforcement in criminal investigations. This position paper examines ...
    • Reliability validation for file system interpretation 

      Nordvik, Rune; Stoykova, Radina Raychova; Franke, Katrin; Axelsson, Stefan; Toolan, Fergus (Peer reviewed; Journal article, 2021)
      This paper examines current best practices for Digital Forensic (DF) tool and method validation in the context of file system interpretation for digital evidence. In order to meet the legal and scientific requirements in ...
    • Reverse engineering of ReFS 

      Nordvik, Rune; Georges, Henry; Toolan, Fergus; Axelsson, Stefan (Journal article; Peer reviewed, 2019)
      File system forensics is an important part of Digital Forensics. Investigators of storage media have traditionally focused on the most commonly used file systems such as NTFS, FAT, ExFAT, Ext2-4, HFS+, APFS, etc. NTFS is ...
    • Timeframe-based contiguous file carving in video surveillance systems 

      Magnussen-Vik, Jostein (Master thesis, 2023)
      I straffesaker er ofte overvåkingsfilm en viktig del av bevisbildet. Det er viktig å få innhentet opptakene så tidlig som mulig på grunn av krav om sletting og lagringsplass på overvåkingssystemene. På grunn av personvernregler ...
    • Timestamp prefix carving for filesystem metadata extraction 

      Porter, Kyle; Nordvik, Rune; Toolan, Fergus; Axelsson, Stefan (Peer reviewed; Journal article, 2021)
      While file carving is a popular and effective method for extracting file content from unallocated space in a forensic image, it can be time consuming to carve for the wide variety of possible file signatures. Furthermore, ...
    • Using the object ID index as an investigative approach for NTFS file systems 

      Nordvik, Rune; Toolan, Fergus; Axelsson, Stefan (Journal article; Peer reviewed, 2019)
      When investigating an incident it is important to document user activity, and to document which storage device was connected to which computer. We present a new approach to documenting user activity in computer systems ...