Using the object ID index as an investigative approach for NTFS file systems

Rune Nordvik,Fergus Toolan,Stefan Axelsson

doi:10.1016/j.diin.2019.01.013

Using the object ID index as an investigative approach for NTFS file systems

Rune Nordvik, Fergus Toolan + Show 1 more

Open Access

https://doi.org/10.1016/j.diin.2019.01.013

Copy DOI

Journal: Digital Investigation	Publication Date: Apr 1, 2019
Citations: 4	License type: cc-by-nc-nd

Affiliation: Norwegian Police University College, Norwegian University of Science and Technology

#NTFS File System #External Storage Devices + Show 8 more

Abstract
Full-Text PDF
Similar Papers

Abstract

When investigating an incident it is important to document user activity, and to document which storage device was connected to which computer. We present a new approach to documenting user activity in computer systems using the NTFS file system by using the $ObjId Index to document user activity, and to correlate this index with the corresponding records in the MFT table. This may be the only possible approach when investigating external NTFS storage devices, and is hence a valuable addition to the storage forensics toolbox.

Full Text