BITS DON’T LIE, DETECTING NTFS DRIVER FINGERPRINTS

  • Nick Borchers

Student thesis: Master's Thesis

Abstract

Devices contain lots of data from their users. Many people have a smartphone or personal computer nowadays that collects personal data: i.e., documents, images, and such but also their metadata. Devices used by criminals often contain digital traces to their criminal activities. Digital forensic practitioners uncover and analyze this data to be used in court. Data is often stored in file systems by file system drivers. NTFS is a popular file system for Windows users, but there are also drivers for UNIX-like operating systems. These drivers
differ in terms of how they write to storage media: they have their own fingerprints. Up until now, these fingerprints were an untapped source of forensic information. We introduce a novel method to discover NTFS driver fingerprints and use them to show the use of a specific driver on a storage medium: our black-box testing technique uncovers the telltale differences that NTFS drivers exhibit when interacting with storage media. We test drivers for three OSes used in everyday life: Windows, MacOS, and Ubuntu. We additionally
introduce a proof-of-concept implementation of NTFS driver detection based on their fingerprints. Digital forensics practitioners should use this detectionmethod to know what operating systems and what drivers have touched storage media they analyze to extract more evidence from them.
Date of Award18 Dec 2023
Original languageEnglish
SupervisorHugo Jonker (Examiner) & G Alpár (Co-assessor)

Master's Degree

  • Master Software Engineering

Cite this

'