dc.contributor.author | Porter, Kyle | |
dc.date.accessioned | 2020-10-28T10:30:15Z | |
dc.date.available | 2020-10-28T10:30:15Z | |
dc.date.created | 2020-10-01T11:14:51Z | |
dc.date.issued | 2020 | |
dc.identifier.citation | Digital Investigation. The International Journal of Digital Forensics and Incident Response. 2020, 33 . | en_US |
dc.identifier.issn | 1742-2876 | |
dc.identifier.uri | https://hdl.handle.net/11250/2685461 | |
dc.description.abstract | Recovery of files can be a challenging task in file system investigations, and most carving techniques are based on file signatures or semantics within the file. However, these carving techniques often only recover the files, but not the metadata associated with the file. In this paper, we propose a novel, generic approach for carving metadata by searching for equal and co-located timestamps. The rationale is that there are some common metadata for files and directories within each file system. Our generic time carver provides potential timestamp locations for repeated timestamps in each metadata structure, identifying potential metadata for files. A semantic parser then filters the results with respect to the specific file system type. In our experiments, extraction of MFT entries in NTFS and inodes in Ext4 had near perfect precision for metadata entries with multiple equivalent timestamps, and for such metadata structures we obtained perfect recall for NTFS. For known file systems, we use the information found within identified metadata to recover files, and by recovering files and their associated metadata we increase the evidential value of recovered files. | en_US |
dc.language.iso | eng | en_US |
dc.publisher | Elsevier | en_US |
dc.relation.uri | https://github.com/reviewscientific2020/cPTS | |
dc.rights | Attribution-NonCommercial-NoDerivatives 4.0 Internasjonal | * |
dc.rights.uri | http://creativecommons.org/licenses/by-nc-nd/4.0/deed.no | * |
dc.title | Generic Metadata Time Carving | en_US |
dc.type | Peer reviewed | en_US |
dc.type | Journal article | en_US |
dc.description.version | publishedVersion | en_US |
dc.source.pagenumber | 10 | en_US |
dc.source.volume | 33 | en_US |
dc.source.journal | Digital Investigation. The International Journal of Digital Forensics and Incident Response | en_US |
dc.identifier.doi | https://doi.org/10.1016/j.fsidi.2020.301005 | |
dc.identifier.cristin | 1836068 | |
dc.relation.project | Norges forskningsråd: ArsForensica project number 248094/O70 | en_US |
dc.description.localcode | https://doi.org/10.1016/j.fsidi.2020.301005 2666-2817/© 2020 The Author(s). Published by Elsevier Ltd on behalf of DFRWS. All rights reserved. This is an open access article under the CC BY-NC-ND license (http:// creativecommons.org/licenses/by-nc-nd/4.0/). | en_US |
cristin.ispublished | true | |
cristin.fulltext | original | |
cristin.qualitycode | 1 | |