Year-end Sale % OFF 
Abstract
In this article, we propose a creation order reconstruction method of deleted files for the FAT32 file system with Windows operating systems. Creation order of files is established using a correlation between storage locations of the files and their directory entry locations. This method can be utilized to derive the creation-time bound of files recovered without the creation-time information. In this article, we first examine the file allocation behavior of Windows FAT32 file system. Next, based on the examined behavior, we propose a novel method that finds the creation order of deleted files after being recovered without the creation-time information. Due to complex behaviors of Windows FAT32 file system, the method may find multiple creation orders although the actual creation order is unique. In experiments with a commercial device, we confirm that the actual creation order of each recovered file belongs to one of the creation orders found by the method.
Highlights
Even though a file is deleted intentionally or systematically, the deleted file remains in the storage space until new files overwrite its storage space
When it is suspected that a recovered file is associated with crimes or frauds, the creation-time of the recovered file plays an important role in digital forensics, i.e., verifying whether the recovered file was created before or after target criminals
The creation-time is very important for recovered multimedia files because still images or video files frequently contain critical scenes providing crucial evidence for criminal investigation and accident site examinations
Summary
Even though a file is deleted intentionally or systematically, the deleted file remains in the storage space until new files overwrite its storage space. We propose a creation order reconstruction method for recovered files upon the FAT32 file system with Windows operation systems. They search for spread fragments and combines them into a single file based on the information of fragment size and fragment location in the video file All of these previous methods did not consider the reconstruction of lost creation-times of recovered files. As a branch of hidden data recovery, some previous studies [19,20,21,22,23] dealt with a problem of reconstructing the creation order, called timeline, of huge events with heterogeneous time-related metadata These studies focused on designing a framework that automatically generates the timeline of massive events obtained from different devices.
Sign-in/Register to view highlights & summary Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
