Retrieving deleted or inaccessible data is called recovery.
Published in Chapter:
Forensics Analysis of NTFS File Systems
Kumarbhai Shamjibhai Sondarva (Sardar Vallabhbhai National Institute of Technology, India), Adarsh Kumar (Sardar Vallabhbhai National Institute of Technology, India),
Bhavesh N. Gohil (Sardar Vallabhbhai National Institute of Technology, India),
Sankita J. Patel (Sardar Vallabhbhai National Institute of Technology, India),
Sarang Rajvansh (National Forensics Sciences University, India), and
Ramya T. Shah (National Forensic Sciences University, India)
Copyright: © 2023
|Pages: 28
DOI: 10.4018/978-1-6684-8133-2.ch008
Abstract
The internet and computers are reaching everywhere, and all are getting connected through it. Users are utilizing computers to make life easier and work faster. At the same time, many attacks and instances of cybercrime have happened. Therefore, digital forensics is necessary and plays a crucial role. NTFS is one of the most popular file systems used by the Windows operating system, and this chapter provides information for forensic analysis of NTFS file system. This chapter describes digital forensics, stages of digital forensics, and types of digital forensics. NTFS is discussed in brief along with the master file table (MFT). In the same section, it also discusses the method to detect the hidden data in the boot sector, analysis of registry, prefetch, shellbags, and web browsers. They have discussed the collection of volatile and non-volatile data. It also provides the artifacts which an investigator must be seeking, along with the tools used to collect and analyze them and strategies used for investigation and analysis. Data recovery and file carving are also discussed.