De-Wipimization: Detection of data wiping traces for investigating NTFS file system

Abstract Data wiping is used to securely delete securely unwanted files. However, the misuse of data wiping can destroy pieces of evidence to be spoiled in a digital forensic investigation. To cope with the misuse of data wiping, we proposed an anti-anti-forensic method based on NTFS transaction features and a machine learning algorithm. This method allows investigators to obtain information regarding ‘which files are wiped’ and ‘which data wiping tools and data sanitization standards used’. In this study, we achieved good identification of data wiping traces in the NTFS file system. Leveraging the efficiency of machine learning models, our method effectively recognizes wiped partitions and files in the NTFS file system and identifies tools used in data sanitization.

[1]  Graeme Horsman Digital tool marks (DTMs): a forensic analysis of file wiping software , 2019 .

[2]  Christopher Lees Determining removal of forensic artefacts using the USN change journal , 2013, Digit. Investig..

[3]  Frank Breitinger,et al.  Availability of datasets for digital forensics - And what is missing , 2017, Digit. Investig..

[4]  Jin-Kook Kim,et al.  A Study of Trace for Data Wiping Tools , 2010 .

[5]  Erhan Guven,et al.  A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection , 2016, IEEE Communications Surveys & Tutorials.

[6]  Nur Izura Udzir,et al.  Privacy Levels for Computer Forensics: Toward a More Efficient Privacy-preserving Investigation , 2015, FNC/MobiSPC.

[7]  Frank Breitinger,et al.  Anti-forensics , 2016 .

[8]  Monis Akhlaq,et al.  Criteria for Validating Secure Wiping Tools , 2015, IFIP Int. Conf. Digital Forensics.

[9]  H. Buhrman,et al.  Complexity measures and decision tree complexity: a survey , 2002, Theor. Comput. Sci..

[10]  Peter Gutmann,et al.  Secure deletion of data from magnetic and solid-state memory , 1996 .

[11]  Stephen D. Wolthusen,et al.  Forensic Entropy Analysis of Microsoft Windows Storage Volumes , 2014 .

[12]  Mario Piccinelli,et al.  A statistical method for detecting on-disk wiped areas , 2012, Digit. Investig..

[13]  Javier López,et al.  IoT-Forensics Meets Privacy: Towards Cooperative Digital Investigations , 2018, Sensors.

[14]  Leo Breiman,et al.  Random Forests , 2001, Machine Learning.

[15]  S. Dija,et al.  Forensic Decryption of FAT BitLocker Volumes , 2013, ICDF2C.

[16]  Jung Min Park,et al.  Anti-Forensic Trace Detection in Digital Forensic Triage Investigations , 2017, J. Digit. Forensics Secur. Law.

[17]  Ainuddin Wahid Abdul Wahab,et al.  Network forensics: Review, taxonomy, and open challenges , 2016, J. Netw. Comput. Appl..

[18]  J. Frields,et al.  National Industrial Security Program. Operating Manual Supplement , 1995 .

[19]  Brian D. Carrier,et al.  File System Forensic Analysis , 2005 .

[20]  Andreas Dewald,et al.  Forensic APFS File Recovery , 2018, ARES.

[21]  Gilles Louppe,et al.  Understanding Random Forests: From Theory to Practice , 2014, 1407.7502.

[22]  Antonio Ruiz-Martínez,et al.  Systematic literature review on the state of the art and future research work in anonymous communications systems , 2017, Comput. Electr. Eng..

[23]  Yang-Wai Chow,et al.  Defeating Plausible Deniability of VeraCrypt Hidden Operating Systems , 2017, ATIS.

[24]  Sungjin Lee,et al.  SSD-Insider: Internal Defense of Solid-State Drive against Ransomware with Perfect Data Recovery , 2018, 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS).

[25]  Kresimir Hausknecht,et al.  Investigating file use and knowledge with Windows 10 artifacts , 2019, 2019 42nd International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO).

[26]  Gaël Varoquaux,et al.  Scikit-learn: Machine Learning in Python , 2011, J. Mach. Learn. Res..