Main Catalog Jurisprudence Criminal Law and Criminology

Features of forensic investigation of the NTFS file system

Authors: Kovalenko A.S.
Published in issue: #5(58)/2021
DOI: 10.18698/2541-8009-2021-5-696
Category: Jurisprudence \| Chapter: Criminal Law and Criminology
Keywords: file system, NTFS, MFT, file attributes, file recording, forensics, forensic research, forensic computer-technical examination
Published: 20.05.2021

The article is devoted to the search and analysis of forensic information at the file system level. The paper considers some basic concepts, data structures and principles of operation of one of the most common file systems New Technology File System (NTFS), which is the standard for operating systems of the Windows family. Authors analyzed the structure of the main attributes, such as $STANDARD_INFORMATION, $FILE_NAME, $OBJECT_ID and $DATA. An experiment on decoding a file record in the Master File Table (MFT) is described, during which information was obtained that allows identifying a file. This method can also be applied when recovering deleted or damaged data.

References

[1] Omel’yanyuk G.G, Usov A.I. [Development tendencies of forensics: time issues and solutions]. Fundamental’nye i prikladnye issledovaniya v sfere sudebno-ekspertnoy deyatel’nosti i DNK-registratsii naseleniya RF. Mat. Vseros. nauch.-prakt. konf. [Fundamental and Applied Study in the field of forensic and DNA-registration of the Russian population. Proc. Russ. Sci.-Tech. Conf.]. Ufa, BGU, 2019, pp. 205–212 (in Russ.).

[2] Safonova N.A. [On the application of digital technologies in the civil process]. Sb. nauch. tr. conf. Yuridicheskaya nauka v XXI veke: aktual’nye problemy i perspektivy ikh resheniy. [Proc. Conf. Legal Science in XXI Century: Actual Problems and Prospects of Their Solution]. Moscow, Konvert Publ., 2020, pp. 89–91 (in Russ.).

[3] Carrier B. File system forensic analysis. Addison-Wesley, 2005. (Russ. ed.: Kriminalisticheskiy analiz faylovykh system. Sankt-Petersburg, Piter Publ., 2007.)

[4] GOST R 57429-2017. Sudebnaya komp’yuterno-tekhnicheskaya ekspertiza. Terminy i opredeleniya [State standard R 57429-2017. Forensic information technology examination. Terms and definitions]. Moscow, Standartinform Publ., 2018 (in Russ.).

[5] Kasperski K. Faylovaya sistema NTFS izvne i iznutri [NTFS file system inside and outside]. Sistemnyy administrator, 2004, no. 11. URL: http://samag.ru/archive/article/375 (in Russ.).

[6] Volkova S.V., Karlova A.V. Forensic analysis of date and time attributes for information objects. Modern Science, 2020, no. 4-2, pp. 21–27 (in Russ.).

[7] Shaaban A., Sapronov K. Practical Windows forensics. Packt Publishing, 2016.

[8] Nekhoroshev A.B., Shukhnin M.N., Yurin I.Yu., et al. Prakticheskie osnovy komp’yuterno-tekhnicheskoy ekspertizy [Practical basis of cyber forensics]. Saratov, Nauchnaya kniga Publ., 2007 (in Russ.).

[9] Vekhov V.B., Kovalev S.A. Komp’yuternoe modelirovanie pri rassledovanii prestupleniy v sfere komp’yuternoy informatsii [Computer modelling at cyber crime investigation]. Volgograd, VA MVD Rossii Publ., 2014 (in Russ.).

[10] Kasperski K. Restoring data in NFTS-sections. Sistemnyy administrator, 2004, no. 9. URL: http://samag.ru/archive/article/342 (in Russ.).

[11] NTFS documentation. ftp.kolibrios.org: website. URL: http://ftp.kolibrios.org/users/Asper/docs/NTFS/ntfsdoc.html (accessed: 10.03.2021).

[12] Faylovaya sistema NTFS [NTFS file system]. intuit.ru: website (in Russ.). URL: https://intuit.ru/studies/professional_skill_improvements/10808/courses/1078/lecture/16586 (accessed: 10.03.2021).