Writing and Deleting files on hard drives with NTFS

• Autorzy: Darnowski F. , Chojnacki A.

Identyfikatory

DOI

10.5604/01.3001.0013.1457

Warianty tytułu

PL

Zapis i kasowanie plików na twardych dyskach z systemem plików NTFS

• Języki publikacji: EN

Abstrakty

EN

The goal of this article was to present detailed information about writing and deleting process on the NTFS (New Technology File System) formatted drives. The most important are the algorithms used by computer to write data BFA (Best Fit Algorithm) and FFA (First-Free Algorithm) to update $MFT (Master File Table). The naming convention of the areas of the drive is presented. The proposed rules of writing and deleting algorithm were successfully validated with real NTFS volume.

PL

Celem artykułu jest przedstawienie szczegółowych informacji na temat zapisu oraz kasowania plików na dyskach twardych wyposażonych w system plików NTFS (ang. New Technology File System). Najważniejsze przy tym są: algorytm wykorzystywany przez komputer do zapisu danych BFA (ang. Best Fit Algorithm) oraz algorytm FFT (ang. First Free Algorithm) aktualizacji pliku $MFT (ang. Master File Table). Zaprezentowano pewną konwencję opisu obszarów na dysku twardym. Przedstawione zasady zostały zweryfikowane na przykładach.

Słowa kluczowe

EN

hard disk; NTFS; $MFT

PL

dysk twardy; NTFS; $MFT

• Wydawca: Institute of Computer and Information Systems, Faculty of Cybernetics, Military University of Technology
• Czasopismo: Computer Science and Mathematical Modelling
• Rocznik: 2018
• Tom: No. 8
• Strony: 5--15
• Opis fizyczny: Bibliogr. 21 poz., tab.

Twórcy

autor

Darnowski F.

• Military University of Technology, Faculty of Cybernetics Institute of Computer and Information Systems W. Urbanowicza Str. 2, 00-908 Warsaw, Poland

autor

Chojnacki A.

• Military University of Technology, Faculty of Cybernetics Institute of Computer and Information Systems W. Urbanowicza Str. 2, 00-908 Warsaw, Poland

Bibliografia

• [1] Amirani M.C., Toorani M., Shirazi A.A.B, “A new approach to content-based file type detection”, Proceedings of the 13th IEEE Symposium on Computers and Communications (ISCC‘08), pp. 1103–1108, 2008.
• [2] Bayne E., Ferguson R.I., Sampson A.T., “OpenForensics: A digital forensics GPU pattern matching approach for the 21st century”, Digital Investigation, Vol. 24, Supplement, S29–S37 (2018).
• [3] Carrier B., File System Forensic Analysis, Addison Wesley Professional, New York, 2005.
• [4] Darnowski F., “Bezpieczne usuwanie danych z dysków SSD”, in: Przestępczość Teleinformatyczna, str. 109–115, Szczytno 2011.
• [5] Darnowski F., Chojnacki A., “Selected Methods of File Carving and Analysis of Digital Storage Media in Computer Forensic”, Przegląd Teleinformatyczny, T.3(21) Nr 1-2 (39) 2015.
• [6] Garfinkel S.L., “Carving contiguous and fragmented files with fast object validation”, Digital Investigation, Vol. 4(1), pp. 2–12, 2007.
• [7] Garfinkel S. L., “Random sampling with sector identification”, Naval Postgraduate School presentation, 2010.
• [8] Garfinkel S. L., Nelson A., White D., Roussev V., “Using purpose-built functions and block hashes to enable small block and sub-file forensics”, Digital Investigation, Vol. 7, 13–23 (2010).
• [9] Ghotge V., Nema P., “Description of the Cluster Preallocation Algorithm in the NTFS File System”, Microsoft Product Support Services White Paper, 2004.
• [10] Gladyshev P., Patel A., “Finite State Machine Approach to Digital Event Reconstruction”, Digital Investigation, Vol. 1, Issue 2, 130–149 (2004).
• [11] Gladyshev P., Patel A., “Finite state machine analysis of a blackmail investigation”, International Journal of Digital Evidence, Vol. 4, Issue 1, 1–13 (2005).
• [12] Hansen K. H., Toolan F., “Decoding the APFS file system”, Digital Investigation, Vol. 22, 107–132 (2017).
• [13] http://www.netmarketshare.com/(accessed 22.01.2019).
• [14] Olivier M., “Scientific theory of digital forensic”, in: Advances in Digital Forensics XII: 12th IFIP WG 11.9 International Conference, New Delhi, January 4–6, 2016, pp. 3–24.
• [15] Penrose P., Buchanan W.J., Macfarlane R., “Fast contraband detection in large capacity disk drives”, Digital Investigation, 12 (S1), S22-S29 (2015).
• [16] Roussev V. Chow K. P., Shenoi S., “Data fingerprinting with similarity digests”, in: Advances in digital forensics VI, Sixth IFIP WG 11.9 International Conference on Digital Forensics, pp. 207–226, Springer Berlin Heidelberg, 2010.
• [17] Roussev V., Quates C., Martell R., “Real-time digital forensics and triage”, Digital Investigation, Vol. 10, Issue 2, 158–167, (2013).
• [18] Škrbina N., Stojanovski T., “Using parallel processing for file carving”, Proceedings of the Nineth Conference on Informatics and Information Technology (CIIT 2012), pp. 175–179, 2012.
• [19] Wei Y., Zheng N., Xu M., “An automatic Carving Method for RAR File Based on Content and Structure”, Proceedings of the 2010 Second International Conference on Information Technology and Computer Science, pp. 68–72, IEEE, 2010.
• [20] Veenman C., “Statistical Disk Cluster Classification for File Carving”, in: Proceedings of the Third International Symposium on Information Assurance and Security, pp. 393–398, 2007.
• [21] Young J., Foster K., Garfinkel S., Fairbanks K., “Distinct sector hashes for target file detection”, Computer, Vol. 45, Issue 12, 28–35 (2012).

Uwagi

Opracowanie rekordu w ramach umowy 509/P-DUN/2018 ze środków MNiSW przeznaczonych na działalność upowszechniającą naukę (2019).