Interpretation of File System Metadata in a Criminal Investigation Context
Abstract
The reliable reconstruction of digital events is imperative for solving criminal cases. Computers, servers, mobile and IoT devices, vehicles, and EV charging infrastructure all use either local or remote storage (cloud). The storage needs to use a file system in order to store and retrieve files. Currently, digital forensic tools implement support for the most popular file systems, either fully or partially. In order to determine what has taken place, investigators today are dependent on tools that automate much of the investigation. Unfortunately, these tools use techniques that are not necessarily published, tested or peer-reviewed, which increases the uncertainty of their results. Furthermore, investigators normally use well known artifacts from the Operating System (OS) when trying to determine what occurred, however, file system interpretation is often automated by the tools and trusted as reliable and complete by the investigators. In many cases the OS is not available, for instance, when an external storage device is seized. This means the investigator only has the file system and the file content available for investigation. We found metadata structures that may connect an external device to the computers used to create files on the device, which order these files have been created, and when the computers were booted. These findings will help investigators to identify which computers are relevant for the investigation, create timelines, and detect timestamp manipulation, but also identify which files users have created, opened, or saved. It is not unusual that external devices are damaged or reformatted with new file systems. In this context it is important to be able to recover files from the damaged file system. We were able to invent a novel and generic method to carve and identify metadata for files using equality or approximate equality to identify timestamps that are co-located, a pattern typical for file metadata structures in most file systems. Our prototype tool outperforms the other tools we tested in recovery from damaged file systems. Investigators often use timestamps to create timelines or to limit their investigation to a particular time frame. We found that both tools and different file system drivers are implemented differently, not necessarily following the file system specifications. Even normal usage of an external USB disk on multiple operating systems may change timestamps to invalid settings, and it is imperative that investigators are able to identify such usage. This thesis will focus on interpreting the file system metadata to identify and understand the accurate meaning of structures that the digital forensic tools currently do not support or only partly support, identifying new knowledge that will increase the quality of digital investigations.
Has parts
Paper A: Nordvik, Rune; Toolan, Fergus; Axelsson, Stefan. Using the object ID index as an investigative approach for NTFS file systems. Digital Investigation. The International Journal of Digital Forensics and Incident Response 2019 ;Volum 28. Suppl. April 2019 s. 30-39 https://doi.org/10.1016/j.diin.2019.01.013 This is an open access article under the CC BY-NC-ND licensePaper B: Nordvik, Rune; Porter, Kyle; Toolan, Fergus; Axelsson, Stefan; Franke, Katrin. Generic Metadata Time Carving. Forensic Science International: Digital Investigation 2020 ;Volum 33. Suppl. July https://doi.org/10.1016/j.fsidi.2020.301005 This is an open access article under the CC BY-NC-ND license
Paper C: Porter, Kyle; Nordvik, Rune; Toolan, Fergus; Axelsson, Stefan. Timestamp prefix carving for filesystem metadata extraction. Forensic Science International: Digital Investigation 2021 ;Volum 38. s. 1-13 https://doi.org/10.1016/j.fsidi.2021.301266 . This is an open access article under the CC BY license
Paper D: Nordvik, Rune; Axelsson, Stefan. It is about time–Do exFAT implementations handle timestamps correctly?. Forensic Science International: Digital Investigation 2022 ;Volum 42-43. https://doi.org/10.1016/j.fsidi.2022.301476 This is an open access article under the CC BY license