Forensics Analysis of NTFS File Systems

Forensics Analysis of NTFS File Systems

DOI: 10.4018/978-1-6684-8133-2.ch008
(Individual Chapters)
No Current Special Offers


The internet and computers are reaching everywhere, and all are getting connected through it. Users are utilizing computers to make life easier and work faster. At the same time, many attacks and instances of cybercrime have happened. Therefore, digital forensics is necessary and plays a crucial role. NTFS is one of the most popular file systems used by the Windows operating system, and this chapter provides information for forensic analysis of NTFS file system. This chapter describes digital forensics, stages of digital forensics, and types of digital forensics. NTFS is discussed in brief along with the master file table (MFT). In the same section, it also discusses the method to detect the hidden data in the boot sector, analysis of registry, prefetch, shellbags, and web browsers. They have discussed the collection of volatile and non-volatile data. It also provides the artifacts which an investigator must be seeking, along with the tools used to collect and analyze them and strategies used for investigation and analysis. Data recovery and file carving are also discussed.
Chapter Preview


The science of locating, obtaining, evaluating, and presenting digital evidence that has been kept on digital electronic storage devices in order to be used as evidence in a court of law is known as 'digital forensics' (Alazab et al., 2009).

The main stages of digital forensics are mentioned below:

  • 1.

    Identification of evidence

  • 2.

    Preservation of evidence

  • 3.

    Collection of digital evidence.

  • 4.

    Examination and analysis of evidence

  • 5.

    Reporting and presentation

Whenever cyber crime has taken place there is a sequence of steps to be followed in order, while investigating the crime scene. Important steps to be taken at crime scene are as follows:

  • 1.

    Secure the Crime Scene.

  • 2.

    Documentation of the Crime Scene.

  • 3.

    Search for Digital Evidence.

  • 4.

    Identification of Digital Evidence.

  • 5.

    Evidence Collection in Forensically sound manner.

  • 6.

    Maintain Chain of Custody during transportation of Digital Evidence.

  • 7.

    Submit Digital Evidence in Forensic Science Laboratory.

An investigator has to carry to tools and equipments such as: Crime scene securing tapes, digital camera, extra batteries, video cameras, sketch pads, blank sterile storage media: Portable USB hard disks and pen drives (to store the evidence image), write-blocker device, labels, pens, permanent markers, storage containers, anti-static bags, faraday bags, Toolkit and rubber gloves.

Types of digital forensics are mentioned below:

  • 1.

    Computer forensics

  • 2.

    Mobile forensics

  • 3.

    Network forensics

  • 4.

    Email and Social media forensics

  • 5.

    Database forensics

Computer memory storage is of two types: (1) Volatile storage and (2) Non-Volatile Storage. Therefore, Computer forensics can be further categorized as Volatile and Non-volatile forensics.

First of all, collect Volatile information because volatile information is lost when a system is powered off; it typically resides in system RAM. Non-volatile data is not affected by system shutdown or power outages. Hard drives are where non-volatile data is typically stored. However, it can also be found on USB storage devices, CD-ROMs, and mobile devices. Hence the first step of collecting digital evidence must be collecting volatile data. Once the volatile data has been collected, non-volatile data can be collected. Non-volatile data resides in the hard disk. A digital forensic investigator can remove the hard drive, place it in a faraday bag, and send it to the lab for further investigation.

There are different types of OS in computers, such as Windows, Linux, and Mac, that can be found on the computer under investigation. Windows OS uses NTFS (New Technology File system) file system. NTFS is an upgraded version of the previous file system that is FAT32. Let's discuss NTFS. Windows OS is one of the widely and commonly used OS.

Key Terms in this Chapter

File Carving: Recovery of data without the help of a file system or metadata provided by the file system.

Recovery: Retrieving deleted or inaccessible data is called recovery.

File System: A method to store and retrieve data from a specific data structure and it varies with the operating system.

Non-Volatile Data: Non-volatile data exists in the memory even after power is turned off. Data stored in a hard disk is Non-volatile data.

Magic Bytes: First few hex values that are the signature of the corresponding file type are called Magic Bytes

Digital forensics: The process of identifying, collecting, preserving, examining, analyzing, and presenting digital evidence is called digital forensics.

Volatile Data: Data stored in memory whose life span is until the power is off. Data stored in ram is one example, once the system is turned off all the data in ram will be lost.

Complete Chapter List

Search this Book: