Using the object ID index as an investigative approach for NTFS file systems
Journal article, Peer reviewed
MetadataVis full innførsel
OriginalversjonDigital Investigation. The International Journal of Digital Forensics and Incident Response. 2019, 28 S30-S39. 10.1016/j.diin.2019.01.013
When investigating an incident it is important to document user activity, and to document which storage device was connected to which computer. We present a new approach to documenting user activity in computer systems using the NTFS file system by using the $ObjId Index to document user activity, and to correlate this index with the corresponding records in the MFT table. This may be the only possible approach when investigating external NTFS storage devices, and is hence a valuable addition to the storage forensics toolbox.