| dc.contributor.advisor | Dyrkolbotn, Geir Olav | |
| dc.contributor.advisor | Axelsson, Stefan | |
| dc.contributor.author | Karresand, Nils Martin Mikael | |
| dc.date.accessioned | 2023-05-30T08:17:42Z | |
| dc.date.available | 2023-05-30T08:17:42Z | |
| dc.date.issued | 2023 | |
| dc.identifier.isbn | 978-82-326-7045-1 | |
| dc.identifier.issn | 2703-8084 | |
| dc.identifier.uri | https://hdl.handle.net/11250/3069265 | |
| dc.description.abstract | Digital forensic investigators have for a long time been burdened by an increasing amount of data to handle. Many solutions have been proposed. A yet unexplored feature is to use the inherent structures left by the allocation algorithm. These structures can be used to build a map of the allocation activity at different positions in a file system. The map can be used to plan and optimize the search for valuable data. We therefore have studied the inherent structures in the New Technology File System (NTFS) as a proof-of-concept to explore the possibility to create such a map. The
map can increase the efficiency of many digital forensic processes, which has been verified experimentally for sampled hash-based carving. In file carving the map can help both during fragment extraction, as well as during file reassembly. Our research can also be used to verify time stamps and categorize the writing type of files based on the allocation pattern. It furthermore brings new knowledge to the research fields of external fragmentation and data recovery. | en_US |
| dc.language.iso | eng | en_US |
| dc.publisher | NTNU | en_US |
| dc.relation.ispartofseries | Doctoral theses at NTNU;2023:171 | |
| dc.relation.haspart | Paper 1: Karresand, Nils Martin Mikael; Warnqvist, Asalena; Lindahl, David; Axelsson, Stefan; Dyrkolbotn, Geir Olav. Creating a map of user data in NTFS to improve file carving. IFIP Advances in Information and Communication Technology 2019 ;Volum 569. s. 133-158. Copyright © 2019 Springer. Available at: http://dx.doi.org/10.1007/978-3-030-28752-8_8 | en_US |
| dc.relation.haspart | Paper 2: Karresand, Nils Martin Mikael; Axelsson, Stefan; Dyrkolbotn, Geir Olav. Using NTFS cluster allocation behavior to find the location of user data. Digital Investigation. The International Journal of Digital Forensics and Incident Response 2019 ;Volum 29. Suppl. 1 s. S51-S60. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/ licenses/by-nc-nd/4.0/). Available at: http://dx.doi.org/10.1016/j.diin.2019.04.018 | en_US |
| dc.relation.haspart | Paper 3: Karresand, Nils Martin Mikael; Axelsson, Stefan; Dyrkolbotn, Geir Olav. Disk Cluster Allocation Behavior in Windows and NTFS. Mobile Networks and Applications 2019 s. -Open Access This article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/). Available at: https://doi.org/10.1007/s11036-019-01441-1 | en_US |
| dc.relation.haspart | Paper 4: Karresand, Nils Martin Mikael; Dyrkolbotn, Geir Olav; Axelsson, Stefan. An Empirical Study of the NTFS Cluster Allocation Behavior Over Time. Forensic Science International: Digital Investigation 2020 ;Volum 33. Suppl. July 2020. This is an open access article under the CC BY-NC-ND license (http:// creativecommons.org/licenses/by-nc-nd/4.0/). Available at: http://dx.doi.org/10.1016/j.fsidi.2020.301008 | en_US |
| dc.title | Digital Forensic Usage of the Inherent Structures in NTFS | en_US |
| dc.type | Doctoral thesis | en_US |
| dc.subject.nsi | VDP::Teknologi: 500::Informasjons- og kommunikasjonsteknologi: 550 | en_US |
