NTFS 파일 시스템의 저널 파일을 이용한 파일 생성에 대한 디지털 포렌식 방법

• Published in: (사)디지털산업정보학회 논문지, 6(2) Vol. 6; no. 2; pp. 107 - 118
• Main Authors: 김태한, 조규상, Kim, Tae Han, Cho, Gyu Sang
• Format: Journal Article
• Language: Korean
• Published: (사)디지털산업정보학회 01.06.2010
• Subjects: 컴퓨터학; NTFS Journaling; LogFile; NTFS File System; Digital Forensics
• ISSN: 1738-6667; 2713-9018

This paper proposes a digital forensic method to a file creation transaction using a journal file($LogFile) on NTFS File System. The journal file contains lots of information which can help recovering the file system when system failure happens, so knowledge of the structure is very helpful for a forensic analysis. The structure of the journal file, however, is not officially opened. We find out the journal file structure with analyzing the structure of log records by using reverse engineering. We show the digital forensic procedure extracting information from the log records of a sample file created on a NTFS volume. The related log records are as follows: bitmap and segment allocation information of MFT entry, index entry allocation information, resident value update information($FILE_NAME, $STANDARD_INFORMATION, and INDEX_ALLOCATION attribute etc.).