Towards detecting digital criminal activities using file system analysis
Abstract
Destroying or clearing evidence is sometimes necessary for data protection, such as in cases of legitimate purposes or to conceal cybercrimes. Various techniques have been proposed for this task, including data wiping, which can permanently remove data from computer disks. However, it is a common misconception that wiping data will completely destroy all traces of it, as evidence may still remain in the file system, including metadata. This paper discusses tools that employ several data-wiping methods to investigate the possibility of retrieving data or metadata after full or partial wiping. Our research has found evidence in the locations $MFT, $Log files, and $UsnJrnl on the file system (NTFS), indicating that the file or data may have been present on the disk at some point. The results of this study highlight the need for caution when using data-wiping tools for data protection or to conceal cybercrimes, as they may not provide complete protection.
Document Type
Conference Proceeding
Date of Publication
1-1-2024
Volume
785
Publication Title
Proceedings of Data Analytics and Management
Publisher
Springer
School
Graduate Research School
Copyright
subscription content
First Page
531
Last Page
550
Comments
Al-Fayoumi, M., Al-Fawa'reh, M., Al-Haija, Q. A., & Alakailah, A. (2024). Towards detecting digital criminal activities using file system analysis. In Proceedings of Data Analytics and Management (pp. 531-550). Springer, Singapore. https://doi.org/10.1007/978-981-99-6544-1_40