Abstract

This paper identifies forensically important artifacts of B-tree file system (Btrfs), analyses changes that they incur due to node-balancing during file and directory operations, and based on the observed file system state-change proposes an evidence-extraction procedure. The findings suggested that retrieving forensic evidence in a fresh B-tree file system is difficult, the probability of evidence-extraction increases as the file system ages, internal nodes are the richest sources of forensic data, degree of evidence-extraction depends upon whether nodes are merged or redistributed, files with size less than 1 KB and greater than 4 KB have highest chances of recovery, and files with size 3–4 KB have least chances of recovery.

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.