Extraction of Creation-Time for Recovered Files on Windows FAT32 File System

In this article, we propose a creation order reconstruction method of deleted files for the FAT32 file system with Windows operating systems. Creation order of files is established using a correlation between storage locations of the files and their directory entry locations. This method can be utilized to derive the creation-time bound of files recovered without the creation-time information. In this article, we first examine the file allocation behavior of Windows FAT32 file system. Next, based on the examined behavior, we propose a novel method that finds the creation order of deleted files after being recovered without the creation-time information. Due to complex behaviors of Windows FAT32 file system, the method may find multiple creation orders although the actual creation order is unique. In experiments with a commercial device, we confirm that the actual creation order of each recovered file belongs to one of the creation orders found by the method.

[1]  Christopher Hargreaves,et al.  An automated timeline reconstruction approach for digital forensic investigations , 2012 .

[2]  K. Sitara,et al.  Digital video tampering detection: An overview of passive techniques , 2016, Digit. Investig..

[3]  N. Memon,et al.  The evolution of file carving , 2009, IEEE Signal Processing Magazine.

[4]  Heejo Lee,et al.  Integrity Verification Scheme of Video Contents in Surveillance Cameras for Digital Forensic Investigations , 2015, IEICE Trans. Inf. Syst..

[5]  Wicher Minnaard The Linux FAT32 allocator and file creation order reconstruction , 2014, Digit. Investig..

[6]  Sangjin Lee,et al.  A study on multimedia file carving method , 2011, Multimedia Tools and Applications.

[7]  Simson L. Garfinkel,et al.  Carving contiguous and fragmented files with fast object validation , 2007, Digit. Investig..

[8]  Simon Tjoa,et al.  Classification and Recovery of Fragmented Multimedia Files using the File Carving Approach , 2013, Int. J. Mob. Comput. Multim. Commun..

[9]  Heejo Lee,et al.  Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224-233] , 2015, Digit. Investig..

[10]  Raahat Devender Singh,et al.  Video content authentication techniques: a comprehensive survey , 2017, Multimedia Systems.

[11]  Heejo Lee,et al.  Integrity verification of the ordered data structures in manipulated video content , 2016, Digit. Investig..

[12]  Yitao Yang,et al.  A security carving approach for AVI video based on frame size and index , 2017, Multimedia Tools and Applications.

[13]  Chris R. Chatwin,et al.  A framework for post-event timeline reconstruction using neural networks , 2007, Digit. Investig..