Abstract
Devices contain lots of data from their users. Many people have a smartphone or personal computer nowadays that collects personal data: i.e., documents, images, and such but also their metadata. Devices used by criminals often contain digital traces to their criminal activities. Digital forensic practitioners uncover and analyze this data to be used in court. Data is often stored in file systems by file system drivers. NTFS is a popular file system for Windows users, but there are also drivers for UNIX-like operating systems. These driversdiffer in terms of how they write to storage media: they have their own fingerprints. Up until now, these fingerprints were an untapped source of forensic information. We introduce a novel method to discover NTFS driver fingerprints and use them to show the use of a specific driver on a storage medium: our black-box testing technique uncovers the telltale differences that NTFS drivers exhibit when interacting with storage media. We test drivers for three OSes used in everyday life: Windows, MacOS, and Ubuntu. We additionally
introduce a proof-of-concept implementation of NTFS driver detection based on their fingerprints. Digital forensics practitioners should use this detectionmethod to know what operating systems and what drivers have touched storage media they analyze to extract more evidence from them.
Date of Award | 18 Dec 2023 |
---|---|
Original language | English |
Supervisor | Hugo Jonker (Examiner) & G Alpár (Co-assessor) |
Master's Degree
- Master Software Engineering