Abstract
When an encrypted file is discovered during a digital investigation and the investigator cannot decrypt the file then s/he is faced with the problem of how to determine evidential value from it. This research is proposing a methodology for locating the original plaintext file that was encrypted on a hard disk drive. The technique also incorporates a method of determining the associated plaintext contents of the encrypted file. This is achieved by characterising the file-encryption process as a series of file I/O operations and correlating those operations with the corresponding events in the NTFS $logfile file. The occurrence of these events has been modelled and generalised to investigate file-encryption. This resulted in the automated analysis of $logfile in FindTheFile software.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Carter, H.: Paedophiles jailed for hatching plot on internet (2007)
Joseh, S.: Hamas Terror Chat Rooms (December 11, 2007)
Siegfried, J., et al.: Examining the Encryption Threat, Computer Forensic Research and Development Center. International Journal of Digital Evidence (2004)
Bunting, S.: The Official EnCase Certified Examiner Guide. Wiley (2008)
McGrath, N., Gladyshev, P., Carthy, J.: Cryptopometry as a Methodology for Investigating Encrypted Material. International Journal of Digital Crime and Forensics 2(1) (January-March 2010); special edition of selected papers from e-Forensics (2009)
Russinovich, M.E., Solomon, D.A.: Windows Internals Covering Windows Server 2008 and Windows Vista. Microsoft Press, One Microsoft Way (2009)
Carrier, B.: File System Forensic Analysis. Addison Wesley, Boston (2005)
Parsonage, H.: The Meaning of Linkfiles in Forensic Examinations (2010)
Cho, G.-S., Rogers, M.K.: Finding Forensic Information on Creating a Folder in $LogFile of NTFS. In: Gladyshev, P., Rogers, M.K. (eds.) ICDF2C 2011. LNICST, vol. 88, pp. 211–225. Springer, Heidelberg (2012)
Nowicka, E., Zawada, M.: Modeling Temporal Properties of Multi-event Attack Signatures in Interval Temporal Logic. Wrocław University of Technology (2006)
Rossi, F., Van Beek, P., Walsh, T.: Constraint Satisfaction: An Emerging Paradigm. In: Handbook of Constraint Programming. Foundations of Artificial Intelligence. Elsevier, Amsterdam (2006)
Gurari, E.: Backtracking algorithms “CIS 680: DATA STRUCTURES: Chapter 19: Backtracking Algorithms” (1999), http://www.cse.ohio-state.edu/gurari/course/cis680/cis680Ch19.html#QQ1-51-128
Altman, D.G., Bland, J.M.: Diagnostic Tests – Sensitivity and Specificity. BMJ 308(6943), 1552 (1994) PMID 8019315
Chen, S., Wang, R., Wang, X., Zhang, K.: Side-Channel Leaks in Web Applications: A Reality Today, A Challenge Tomorrow. In: IEEE Symposium on Security & Privacy (May 2010), http://research.microsoft.com/pubs/119060/WebAppSideChannel-final.pdf
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 ICST Institute for Computer Science, Social Informatics and Telecommunications Engineering
About this paper
Cite this paper
McGrath, N., Gladyshev, P. (2013). Investigating File Encrypted Material Using NTFS $logfile. In: Rogers, M., Seigfried-Spellar, K.C. (eds) Digital Forensics and Cyber Crime. ICDF2C 2012. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol 114. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-39891-9_12
Download citation
DOI: https://doi.org/10.1007/978-3-642-39891-9_12
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-39890-2
Online ISBN: 978-3-642-39891-9
eBook Packages: Computer ScienceComputer Science (R0)