Towards detecting digital criminal activities using file system analysis

Abstract

Destroying or clearing evidence is sometimes necessary for data protection, such as in cases of legitimate purposes or to conceal cybercrimes. Various techniques have been proposed for this task, including data wiping, which can permanently remove data from computer disks. However, it is a common misconception that wiping data will completely destroy all traces of it, as evidence may still remain in the file system, including metadata. This paper discusses tools that employ several data-wiping methods to investigate the possibility of retrieving data or metadata after full or partial wiping. Our research has found evidence in the locations $MFT, $Log files, and $UsnJrnl on the file system (NTFS), indicating that the file or data may have been present on the disk at some point. The results of this study highlight the need for caution when using data-wiping tools for data protection or to conceal cybercrimes, as they may not provide complete protection.

Document Type

Conference Proceeding

Date of Publication

1-1-2024

Volume

785

Publication Title

Proceedings of Data Analytics and Management

Publisher

Springer

School

Graduate Research School

Comments

Al-Fayoumi, M., Al-Fawa'reh, M., Al-Haija, Q. A., & Alakailah, A. (2024). Towards detecting digital criminal activities using file system analysis. In Proceedings of Data Analytics and Management (pp. 531-550). Springer, Singapore. https://doi.org/10.1007/978-981-99-6544-1_40

Copyright

subscription content

First Page

531

Last Page

550

Share

 
COinS
 

Link to publisher version (DOI)

10.1007/978-981-99-6544-1_40