Abstract
Destroying or clearing evidence is sometimes necessary for data protection, such as in cases of legitimate purposes or to conceal cybercrimes. Various techniques have been proposed for this task, including data wiping, which can permanently remove data from computer disks. However, it is a common misconception that wiping data will completely destroy all traces of it, as evidence may still remain in the file system, including metadata. This paper discusses tools that employ several data-wiping methods to investigate the possibility of retrieving data or metadata after full or partial wiping. Our research has found evidence in the locations $MFT, $Log files, and $UsnJrnl on the file system (NTFS), indicating that the file or data may have been present on the disk at some point. The results of this study highlight the need for caution when using data-wiping tools for data protection or to conceal cybercrimes, as they may not provide complete protection.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Naiqi L, Zhongshan W, Yujie H (2008) Computer forensics research and implementation based on NTFS file system. In: Proceedings—ISECS international colloquium on computing, communication, control, and management, CCCM 2008, vol 1, pp 519–523
Poonia AS (2014) Data wiping and anti forensic techniques. Compusoft 3(12):1374–1376
Ölvecký M, Gabriška D (2018) Wiping techniques and anti-forensics methods. In: 2018 IEEE 16th international symposium on intelligent systems and informatics (SISY), pp 127–132
Miller FP, Vandome AF, McBrewster J (2009) Levenshtein distance: information theory, computer science, string (computer science), string metric, Damerau? Levenshtein distance, spell checker, hamming distance. Alpha Press
“blueangel’s ForensicNote—NTFS Log Tracker.” [Online]. Available: https://sites.google.com/site/forensicnote/ntfs-log-tracker. Accessed 18-Sept 2022
Rogers MK, Seigfried K (2004) The future of computer forensics: a needs analysis survey. Comput Secur 23(1):12–16
Slusarczuk MM, Mayfield WT, Welke SR (1987) Emergency destruction of information storing media. Institute for Defense Analyses Alexandria VA
Gutmann P (1996) Secure deletion of data from magnetic and solid-state memory. In: Proceedings of the sixth USENIX security symposium, San Jose, CA, vol 14, pp 77–89
Robins N, Williams PAH, Sansurooah K (2017) An investigation into remnant data on USB storage devices sold in Australia creating alarming concerns. Int J Comput Appl 39(2):79–90
Golubić K, Stančić H (2012) Clearing and sanitization of media used for digital storage: towards recommendations for secure deleting of digital files. In: Central European conference on information and intelligent systems, pp 331–493
Regenscheid A, Feldman L, Witte G (2015) NIST special publication 800-88 revision 1, guidelines for media sanitization. National Institute of Standards and Technology
DoD 5220.22-M: national industrial security program operating manual [Updated 28 Feb 2006] (2006). [Online]. Available: https://www.hsdl.org/?abstract&did. Accessed 18-Sept-2022
Wright C, Kleiman D, Sundhar RSS, Kendalls BDO (2008) Overwriting hard drive data: the great wiping controversy, pp 243–257
Martin T, Jones A (2011) An evaluation of data erasing tools
Distefano A, Me G, Pace F (2010) Android anti-forensics through a local paradigm. Digit Invest 7:S83–S94
Pajek P, Pimenidis E (2009) Computer anti-forensics methods and their impact on computer forensic investigation. In: International conference on global security, safety, and sustainability, pp 145–155
Gül M, Kugu E (2017) A survey on anti-forensics techniques. In: IDAP 2017—international artificial intelligence and data processing symposium
Kai Z, En C, Qinquan G (2010) Analysis and implementation of NTFS file system based on computer forensics. In: 2010 Second international workshop on education technology and computer science, vol 1, pp 325–328
Al-Fayoumi M, Aboud SJ, Al-Fayoumi MA (2010) A new digital signature scheme based on integer factoring and discrete logarithm problem. IJ Comput Appl 17(2):108–115
A. A. Gutub, “e-Text Watermarking : Utilizing ’ Kashida ’ Extensions in Arabic Language Electronic Writing,” vol. 2, no. 1, pp. 48–55, 2010.
Parvez MT, Gutub AA-A (2011) Vibrant color image steganography using channel differences and secret data distribution. Kuwait J Sci Eng 38(1B):127–142
Al-Otaibi NA, Gutub AA (2014) 2-Leyer security system for hiding sensitive text data on personal computers. In: Lecture notes on information theory, no August, pp 73–79
Al-Nofaie SM, Fattani M, Gutub A (2016) Merging two steganography techniques adjusted to improve arabic text data security. J Comput Sci Comput Math (JCSCM) 6(3):59–65
Hambouz A, Shaheen Y, Manna A, Al-Fayoumi M, Tedmori S (2019) Achieving data integrity and confidentiality using image steganography and hashing techniques. In: 2019 2nd International conference on new trends in computing sciences, ICTCS 2019—proceedings
Mohammad RM, Alqahtani M (2019) A comparison of machine learning techniques for file system forensics analysis. J Inf Secur Appl 46:53–61
Oh J, Lee S, Hwang H (2021) NTFS Data Tracker: Tracking file data history based on $LogFile. Forensic Sci Int Digit Invest 39:301309
Hermon R, Singh U, Singh B (2022) Forensic techniques to detect hidden data in alternate data streams in NTFS. In: IBSSC 2022—IEEE Bombay section signature conference
Oh J, Lee S, Hwang H (2022) Forensic recovery of file system metadata for digital forensic investigation. IEEE Access 10:111591–111606
Sokol P, Antoni Ľ, Krídlo O, Marková E, Kováčová K, Krajči S (2022) The analysis of digital evidence by Formal concept analysis
Markova E, Sokol P, Kovacova K (2022) Detection of relevant digital evidence in the forensic timelines. In: 2022 14th International conference on electronics, computers and artificial intelligence, ECAI 2022.
Singh A (2022) A framework for crime detection and reduction in digital forensics. SSRN Electron J 71(4):531–552
Peters-Michaud N (2017) The three pass data wipe requirement for hard drives is obsolete. In: Cascade asset management, LLC, pp 1–8
Mallery JR (2001) Secure file deletion: fact or fiction? tu te ho r r fu ll r igh te ll r igh
Tanvir Parvez M, Abdul-Aziz Gutub A (2011) Hiding, data spreading, data, vol 38, pp 127–142
Pal A, Memon N (2009) The evolution of file carving. IEEE Sig Process Mag 26(2):59–71
Carrier B (2005) File system forensic analysis. Addison-Wesley Professional
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Al-Fayoumi, M., Al-Fawa’reh, M., Al-Haija, Q.A., Alakailah, A. (2024). Towards Detecting Digital Criminal Activities Using File System Analysis. In: Swaroop, A., Polkowski, Z., Correia, S.D., Virdee, B. (eds) Proceedings of Data Analytics and Management. ICDAM 2023. Lecture Notes in Networks and Systems, vol 785. Springer, Singapore. https://doi.org/10.1007/978-981-99-6544-1_40
Download citation
DOI: https://doi.org/10.1007/978-981-99-6544-1_40
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-6543-4
Online ISBN: 978-981-99-6544-1
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)