论文信息 - Investigating File Encrypted Material Using NTFS $logfile

Investigating File Encrypted Material Using NTFS $logfile

When an encrypted file is discovered during a digital investigation and the investigator cannot decrypt the file then s/he is faced with the problem of how to determine evidential value from it. This research is proposing a methodology for locating the original plaintext file that was encrypted on a hard disk drive. The technique also incorporates a method of determining the associated plaintext contents of the encrypted file. This is achieved by characterising the file-encryption process as a series of file I/O operations and correlating those operations with the corresponding events in the NTFS $logfile file. The occurrence of these events has been modelled and generalised to investigate file-encryption. This resulted in the automated analysis of $logfile in FindTheFile software.

Pavel Gladyshev | Niall McGrath

[1] Elżbieta Nowicka. Modeling Temporal Properties of Multi-event Attack Signatures in Interval Temporal Logic , 2006 .

[2] Brian D. Carrier,et al. File System Forensic Analysis , 2005 .

[3] Marcus K. Rogers,et al. Finding Forensic Information on Creating a Folder in $LogFile of NTFS , 2011, ICDF2C.

[4] D. Altman,et al. Statistics Notes: Diagnostic tests 1: sensitivity and specificity , 1994 .

[5] Mark Russinovich,et al. Windows® Internals: Including Windows Server 2008 and Windows Vista, Fifth Edition , 2009 .

[6] M. Zawada,et al. An Interval Temporal Logic-Based Matching Framework for Finding Occurrences of Multi-event Attack Signatures , 2007 .

[7] Jason Siegfried,et al. Examining the Encryption Threat , 2004, Int. J. Digit. EVid..

[8] Pavel Gladyshev,et al. Cryptopometry as a Methodology for Investigating Encrypted Material , 2010, Int. J. Digit. Crime Forensics.

[9] Rui Wang,et al. Side-Channel Leaks in Web Applications: A Reality Today, a Challenge Tomorrow , 2010, 2010 IEEE Symposium on Security and Privacy.

[10] Eugene C. Freuder,et al. Constraint Satisfaction: An Emerging Paradigm , 2006, Handbook of Constraint Programming.