Authors: Rune Nordvik, Fergus Toolan (Norwegian Police University College), Stefan Axelsson (Norwegian University of Science and Technology)

DFRWS EU 2019

Abstract

When investigating an incident it is important to document user activity, and to document which storage device was connected to which computer. We present a new approach to documenting user activity in computer systems using the NTFS file system by using the $ObjID Index to document user activity, and to correlate this index with the corresponding records in the MFT table. This may be the only possible approach when investigating external NTFS storage devices, and is hence a valuable addition to the storage forensics toolbox.

Downloads