Printer Friendly

Digital Forensic Analysis of Hard Disk for Evidence Collection.


Digital evidence is the information stored or transmitted in binary form that may be relied on in the court. It can be found on a computer hard drive, a mobile phone, a personal digital assistant, a CD, and a flash card in a digital camera, among other places. Digital evidence is commonly associated with electronic crime, or e-crime, such as child pornography or credit card fraud. However, digital evidence is now used to prosecute all types of crimes, not just e-crime. For example, suspects' email or mobile phone files might contain critical evidence regarding their intent, their whereabouts at the time of a crime and their relationship with other suspects. Computers may constitute a 'scene of a crime', for example with hacking or denial of service attacks or they may hold evidence in the form of emails, internet history, documents or other files relevant to crimes such as murder, kidnap, fraud and drug trafficking.

It is not just the content of emails, documents and other files which may be of interest to investigators but also the 'metadata' associated with those files. A computer forensic examination may reveal when a document first appeared on a computer, when it was last edited, when it was last saved or printed and which user carried out these actions.

Computers need a method for the long-term storage and retrieval of data. Windows NTFS File systems provide a mechanism for users to store data in a hierarchy of files and directories. A file system consists of structural and user data that are organized such that the computer knows where to find them. In most cases, the file system is independent from any specific computer. The basic reference model for the file system will contain five data categories: file system, content, metadata, file name, and application [1]. All data in a file system belong to one of the categories based on the role they play in the file system. Table 1 depicts the data structures in various category of the file system.

If the MFT (Master File Table) file record in the NTFS has more than 1 $DATA attribute, additional $DATA attribute is called ADS (Alternate Data Stream). ADS can be used to hide data in NTFS file system as ADS does not show up in directory listing and the file size of original file does not change. The size of the data that can be hidden in ADS is unlimited. One major difference between this data hiding technique and others is that ADS is relatively easy to create [10]. This raises the need to do the forensic investigation of the ADS to identify if any unknown information is hidden in it. Similarly, malicious user in order to hide its malicious activity might just delete used file on the hard disk. The analysis of the MFT header is helpful in recovering the deleted files from the hard disk.

The paper is structured as follows: Section 2 covers the existing work carried out on the file system forensic. Section 3 discusses the approach and the algorithm devised to carry out the forensic investigation of the file system to identify and extract the hidden data. It also covers the approach to recover deleted data. The results are covered in section 4. The conclusion and the future work to carry out are covered in section 5.


The file system on the hard disk maintains the digital evidence of the crime performed. This necessitates performing the forensic investigation of the file system. This section performs the study of the strategies and techniques developed so far in the forensic investigation of the file system.

Since most desktop and laptop computers use Windows according to the usage share of operating systems, Rune Nordvik, Yi-Ching Liao, and Hanno Langweg implemented AccountabilityFS for modern versions of Windows, including Windows 7, 8 and 8.1 (32-bit and 64-bit) [2].

A survey of the existing tools and techniques for the digital forensic analysis has been performed in [3].

Pei-Hua Yen et al, Chung Huang Yang et al, Tae-Nam Ahn et al proposed a design and implementation of a Live-analysis digital forensic system [4]. In the work, open source digital forensic tools based on Linux were used and want to make sure the stability of software. They used Live-analysis to collect data and design.

According to Gyu-Sang Cho et al a forensic analysis method is provided for a directory index in NTFS file systems. For efficient storage of many files, and fast lookups B-tree indexing are employed by NTFS [5]. evin Fairbanks proposed a technique for measuring Data persistence using the Ext4 File System journal. Digital forensic tools and techniques are used to extract data from media [6].

Chen Wei et al and Liu Chun-Mei analyzed and proposed a design of Linux File System based on computer forensics. In this research, the object-oriented method is proposed to design the parsing platform of Linux file system [7]. In [8], a method for tracking file's metadata from computer memory analysis is proposed. The aim of the work was to present algorithm to track the metadata of files from well-known file systems for Windows system such as FAT and NTFS.

Alternate data streams requirement and their functionality are explained in [9]. It also discussed how the hacker can utilize the functionality of NTFS to hide malicious codes in victim's machine so as to compromise it. An ADS graphical tool enabling users to create, start, detect and delete ADS have also been proposed.


This section performs the digital forensic investigation of NTFS file system to recover deleted files, to identify and extract the hidden data.

File carving is a method that recovers files at unallocated space without any file information and used to recover data. In general, the file carving recovers files using the inherent header and footer in files or the entire file size determined in the file header [11]. The proposed approach for the recovery of the deleted files from the NTFS file system involves three steps.

* Acquisition: It involves acquiring the hard disk image having NTFS file system.

* Analysis: This stage involves analyzing the hard disk image to recover the deleted data from the NTFS file system.

* Reporting: It involves creating a report about the digital evidence identified about the deleted files and those which are recovered.

The basic process model for the digital forensic investigation of the NTFS file system is as follows:

1. Identification: This recognizes an incident from digital devices and determines its type.

2. Preparation: Entails the preparation of forensic tools, techniques, and monitoring authorizations.

3. Preservation: Opening the Physical Drive with Read Permissions.

4. Collection: It collects the recording of the physical scene and duplicate digital evidence by creating disk images.

5. Examination:

5.1. Find the partition entry which holds the NTFS partition.

5.2. Navigate to the beginning of the Master File Table.

5.3. Find the root directory metafile entry in the MFT and extract its index allocation attribute data.

5.4. Process the INDX records found within the index allocation attribute data one by one recursively until you find a file that matches the one you are looking for.

5.5. In the index entry that matched, find the MFT record number and move to that record position within the MFT.

5.6. Record the MFT entry and process its standard attribute headers one by one until the data attribute is encountered.

5.7. Use the process of attribute data extraction in order to retrieve the data attribute, which contains the contents of the file that is being accessed.

6. Reporting: After completion of the investigation, investigator can presents his data or information, usually in the form of a written report.

3.1 Proposed Tool

The proposed tool involves two phases viz., File Extraction and File Analysis as in figure 1. In the file extraction phase disk image will be created or it can be directly imported from attached device. Boot sector will be read to locate start location of MFT, root directory entry which are major attributes used to recover deleted files.

Detailed analysis will be done in the file analysis phase. Attributes obtained in file extraction phase is used for recovery of deleted files. MAC time can be determined for analysis.

Hidden Evidence Analysis module find the evidence from the deleted files, ADS, free spaces (File slack, Volume slack). Output of the above module is loaded into the database.

In Monitor File Forensic Activity module, FileSystemWatcher class monitors file forensic activity like who deleted, accessed, alter files.

Database stores data regarding file such as file name, file type, create time, modify time, and delete time, last access time.

Report generation module, generates report for each evidences collected from file system analysis subsystem each digital device like disk image of disk drive.

3.2 Data Structure Design

The various data structure used to do the forensic investigation of the file system is summarized as follows:

1. Disk Image Table

Disk image table holds the information about the disk image considered for the forensic investigation. The structure of this table is as follows:
Did int[10],
Dname Varchar[20],
FileSystemType Varchar[20],
DiskPath Varchar[20],
ImageMACtime Varchar[20]

The description of these attribute is as follows:
Did: Disk image id
Dname: Name of the disk
FileSystemType: File System type
DiskPath: Disk Path
Image MACtime: Modify, Access and
Creation time of the disk.

2. Recovered Files Table

This table holds the metadata about the information of the recovered files. The structure of this table is as follows:
File_id int,
Fname Varchar[10],
Recovery_type Varchar[10],
IsDataHidden Boolean

The description of these attribute is as follows:
File_id: File identification
Fname: File Name
Recovery_type: Metadata or content
based recovery
IsDataHidden: If data is hidden returns

3. Hidden Data Table

The information about the hidden data is stored in this table. The structure of this table is as follows:
File_id int
Did int
IsDelete Boolean

The description of these attribute is as follows:
File_id: File identification
Did: Disk image identification
IsDelete: Returns true if file is deleted.

4. File Forensic Table

This table holds the forensic information obtained from the other tables. The structure of this table is as follows:
Fid int
Did int
Fname Varchar[10]
FileType Varchar[10]
MACtime Varchar[10]
IsDelete boolean
IsRecovered boolean

The description of these attribute is as follows:
File_id: File identification
Did: Disk image id
Fname: File Name
FileType: Type of the file recovered
MACtime: Modify, Access and Creation
time of the disk
IsDelete: Returns true if file is deleted.
IsRecovered: Returns true if file is

3.3 Algorithm Design

The algorithm for the various module of the proposed tool is discussed as follows:

1. Function Name: PrepareDiskImage(Disk_Drive)
Input: DiskDrive
Output: DiskImage of Disk Drive
Variables: handle, driveName, source,
destination, HexImage
Purpose: This algorithm takes as input the
disk drive and copies each byte of disk
drive to create disk image. First it will
create handle to read disk drive with read

1. handle =
//Use Create File
Windows API in read
mode to create file
2. if file handle is invalid
3. return with error
4. else
5. do
6. i =
/Read Disk Drive
Byte by Byte
7. if(i!=1)
8. {
te(byte)i) }//Copy
Disk Drive Byte by
Byte to new
9. HexImage =
vert disk image to
hex format
10. end if
11. if information read is
0 then
12. return with Copy
failed status
13. end if
14. end if

2. Function Name: GetBootSector(Disk_Image)

Input: Disk Image

Output: Load Boot Sector

Variable: handle, driveName, HexImage, BootSector[]

Purpose: This algorithm takes as input the disk image and loads the boot sector of drive.

1. PrepareDiskImage(dr
2. handle =
e) //Use Create File
Windows API in read
mode to create file
3. if file handle is
invalid then
4. return with error
5. else
6. do
7. BootSector[i] =
);//Read first 512
bytes of disk image
8. if information
read is 0 then
9. return with read
10. end if
11. end if

3. Function Name: ShowFileSystemInformation()

Input: Boot Sector loaded from disk image

Output: File System Type, Volume Serial Number

Variable: Boot Sector[], FileSysType, VolumeSerialNum

Purpose: This algorithm takes as input the boot sector of disk drive and returns file system information such as file system type and volume serial number.

1. GetBootSector(Disk_Image)
2. FileSysType =
(0x07) // 0x07th byte
stores the file system
3. If (FileSysType ==
4. VolumeSerialNum =
5. Else
6. VolumeSerialNum =
7. End if

4. Function Name: ListAllocatedFiles()

Input: DiskImage

Output: List of allocated files

Variables: MFT Loc, MFT Start Loc, File Name

Purpose:This algorithm locates the MFT table and parse all File Name attributes content to return allocated file names

GetBootSector(DiskImage)     R
FT  Loc          -           M
FT  Start Loc    -           M
BitConverter.ToInt(MFT Loc)
4. FileName =
Start Loc+48)
5. While(true)
Return all file names stored in
File Name Attribute
7. End while

5. Function Name: ListDeletedFileNames()

Input: DiskImage

Output: List of deleted files

Variable: MFT Loc, MFT Start Loc, File Name, Hard Link Name

Purpose: This algorithm map Hard Link Name with File Name Attribute to give list of deleted files

1. GetBootSector(DiskImage)
2. MFT Loc =
BootSector. ReadByte
3. MFT Start Loc =
MFT Loc)
4. Hard Link Name=
destination. ReadByte
(MFT Start Loc+20)
5. FileName =
destination. ReadByte
(MFT Start Loc+48)
6. While (Hard Link Name!=null)
7. If(Hard Link Name !=File Name)
8. Return Hard Link
9. End if
10. End while

6. Function Name: M RecoverDeletedFiles(List_of_delete d_files)

Input: List of deleted files

M Output: Recover Deleted Files

Variable:wFlags, handle, RecoveredData

PART 1 - Determine whether the file is deleted or not
1. if (file system == NTFS) then
2. Traverse through MFT
header record to obtain details of
wFlags field
3. if (wFlags == 1) then
4. return "file is in use"
5. else
6. return "file is
7. end if
8. end if
9. else if (file system == FAT) then
10. if (directory entry begin with a
sigma 0xe5 && pointers
changed to zero for each
cluster used by the file) then
11. return "file is
12. else
13. return "file is in use"
14. end if
15. end if

PART 2 - Retrieve a fie
1. Set the physical drive handle
2. Set the starting sector of file system
3. initialize, ie. read all MFT in to the
4. ListDeletedFiles(Disk_Image)
5. get the Hard Link or File Name for
deleted files
6. RecoveredData =;
//extract the file content in to a
7. new Location =
e the same file in a new location
8. save the file data on to the new file
9. close the handle.

7. Function Name: GetMACtime(FileName)

Input: FileName

Output: Modify, Access, Creation time

1. Set the physical drive handle
2. Set the starting sector of file
4. initialize, ie. read all
MFT in to the
5. Parse Individual INDX
Record Entry
Structure to get MAC

8. Function Name: HiddenEvidenceAnalysis(Disk_Drive)

Input - Disk Drive

Output - Hidden Data in ADS

Variable: Current Stream, memory stream

Purpose: Searches multiple data streams to retrieve hidden data

1. Use FindFirstStreamW API
in Enumerates the first
stream with a ::$DATA
stream type with parameter
values as a file name,
information level of the
returned data, A pointer to a
buffer that receives the file
stream data and flag with
value 0.
2. if file handle is invalid then
3. return with error message
4. Else
5. Add Current Stream to list;
6. While (FindNextStreamW(Handle,
Current Stream) returns
valid Handle)
7. Initialize new memory
8. Use read method to retrieve
hidden content and store it in
a stream

9. Function Name: MonitorFileForensicActivities(Disk_Drive)

Input: Disk Drive

Output: Changes made by attacker

Variable: handle, ip, FileSystemWatcher

Purpose: This algorithm captures changes made by an attacker, monitors his activities.

1. handle = CreateFile(driveName)
//Use Create File Windows API
in read mode to create file
2. if file handle is invalid then
3. return with error message
4. else
5. do
6. Use FileSystemWatcher API to
monitor activity
7. End do
8. if (ip.AddressFamily ==
System.Net.Sockets.AddressFamily.InterNetwork)// to capture IP
address of an attacker
6. return ip.ToString();
7. end if


The tool to recover the deleted data from the hard disk and identifying and extracting the hidden data is implemented as discussed in section 3. This section shows the screenshots of the proposed tool. The tool has ADS Detection module to identify the hidden data in the file system and Recovery module to recover the deleted data on the hard disk. The proposed approach is compared with the existing work on the hard disk forensic, following improvements have been included in the proposed approach.

1. The proposed approach identifies the hidden evidence on the hard disk apart from retrieving the deleted files.

2. The proposed approach also identifies if any changes have been made by the attacker.

Figure 2 shows a snapshot of the proposed File System Analysis tool to identify the hidden data and recover the deleted data.

Figure 3 shows the hidden file and directory identified by using proposed tool. The deleted files are recovered by using our proposed tool as shown in figure 4 and 5.

Using our tool the files are recovered which are permanently deleted from the disk drive. These files are shown in the figure 5.


In this work, the importance of digital forensic investigation of file System in recovering deleted data from the hard disk have been discussed. The hidden data and analysis is important as it helps in identifying suspicious or sensitive information hidden by malicious insider or external entities. After going through the various existing algorithms to identify and display hidden data, recovery of deleted files and forensic analysis of the deleted files and by studying existing different file forensic tools, a new file forensic model and tool for file system analysis and forensic analysis is proposed.


[1.] Carrier B.: File System Forensic Analysis, Addison Wesley Professional (2005), ch. 8 pp. 129-131.

[2.] Rune Nordvik R., Liao Y., Langweg H.: Accountability FS:A file system monitor for forensic readiness, Intelligence and Security Informatics Conference (JISIC)( 2014).

[3.] Sivaprasad A., Jangale S.: A Complete Study on Tools & Techniques for Digital Forensic Analysis, Computing, Electronics and Electrical Technologies (ICCEET), International Conference IEEE (2012).

[4.] Yen P., Yang C., Ahn T.: Design and Implementation of a Live-analysis Digital Forensic System, International Conference on Convergence and Hybrid Information Technology, ACM (2009).

[5.] Cho G.: NTFS Directory Index Analysis for Computer Forensics, 9th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, IEEE (2015).

[6.] Fairbanks K.: A Technique for Measuring Data Persistence using the Ext4 File System Journal, IEEE 39th Annual International Computers, Software & Applications Conference (2015).

[7.] Wei C., Chun-Mei L.: The Analysis and Design of Linux File System Based on Computer Forensic, International Conference On Computer Design And Applications (2010).

[8.] AkramZainolArfin K., Mahmood A.: Tracking File's metadata from Computer Memory Analysis, IEEE International Conference on Computer and Information Technology; Ubiquitous Computing and Communications; Dependable, Autonomic and Secure Computing; Pervasive Intelligence and Computing (2015).

[9.] Mahajan R., Singh M., Miglani S.: ADS: Protecting NTFS From Hacking", IEEE International Conference on Recent Advances and Innovations in Engineering, Jaipur, India (2014).

[10.] Yao Qingshan Y., Chunying G.: Research and Implementation of Data Recovery Technology Based on WINDOWS FAT, IEEE (2010).

[11.] Metz J.: carving NTFS-compressed files, Hoffmann Investigation, http: // (2009).

Bandu B. Meshram (1), Dinesh N. Patil (2)

Veermata Jijabai Technological Institute Matunga, Mumbai, India (1), (2)
Table 1. Data structures in each data category for the file systems

      File      Content    Metadata                File Name
FAT   Boot      Clusters,  Directory entries, FAT  Directory entries
      sector,   FAT
NTFS  $Boot,    Clusters,  $MFT, $MFTMirr,         $FILE_NAME,
      $Volume,  $Bitmap    $STANDARD_              $IDX_ROOT,
      $AttrDef             INFORMATION, $DATA,     $IDX_ALLOCATION,
                           $ATTRIBUTE_LIST,        $BITMAP



NTFS  Disk Quota,
COPYRIGHT 2018 The Society of Digital Information and Wireless Communications
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2018 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Meshram, Bandu B.; Patil, Dinesh N.
Publication:International Journal of Cyber-Security and Digital Forensics
Article Type:Report
Date:Apr 1, 2018
Previous Article:Cyber Intelligence & OSINT: Developing Mitigation Techniques Against Cybercrime Threats on Social Media A Systematic Review July 2017.
Next Article:A research study: Usage of RC4 stream cipher in SSL configurations of web servers used by Sri Lankan Financial Institutes.

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters