Authors: Rune Nordvik (Norwegian University of Science and Technology; Norwegian Police University College), Kyle Porter (Norwegian University of Science and Technology), Fergus Toolan (Norwegian Police University College), Stefan Axelsson (Norwegian University of Science and Technology; Halmstad University), and Katrin Franke (Norwegian University of Science and Technology)
DFRWS USA 2020
Winner of the Best Paper Award USA 2020
Recovery of files can be a challenging task in file system investigation, and most carving techniques are based on file signatures or semantics within the file. However, these carving techniques often only recover the files, but not the metadata associated with the file. In this paper, we propose a novel, generic approach for carving metadata by searching for equal and co-located timestamps. The rationale is that there are some common metadata for files and directories within each file system. Our generic time carver provides potential timestamp locations for repeated timestamps in each metadata structure, identifying potential metadata for files. A semantic parser then filters the results with respect to the specific file system type. In our experiments, extraction of MFT entries in NTFS and inodes in Ext4 had near perfect precision for metadata entries with multiple equivalent timestamps, and for such metadata structures we obtained perfect recall for NTFS. For known file systems, we use the information found within identified metadata to recover files, and by recovering files and their associated metadata we increase the evidential value of recovered files.
|Generic Metadata Time Carving (Paper)|
|Generic Metadata Time Carving (Slides)|