Using the object ID index as an investigative approach for NTFS file systems
Journal article, Peer reviewed
Published version
View/ Open
Date
2019Metadata
Show full item recordCollections
Original version
Digital Investigation. The International Journal of Digital Forensics and Incident Response. 2019, 28 S30-S39. 10.1016/j.diin.2019.01.013Abstract
When investigating an incident it is important to document user activity, and to document which storage device was connected to which computer. We present a new approach to documenting user activity in computer systems using the NTFS file system by using the $ObjId Index to document user activity, and to correlate this index with the corresponding records in the MFT table. This may be the only possible approach when investigating external NTFS storage devices, and is hence a valuable addition to the storage forensics toolbox.