Alternate Data Streams in Forensic Investigations of File Systems Backups
نویسندگان
چکیده
Backup utilities for the Windows environment are designed to work with the NTFS file format, but they typically provide only partial compatibility with Alternate Data Streams (ADSs). In particular, computer forensics tools are typically capable of discovering ADSs in the file system under investigation, but not necessarily in the backups of such file systems. We examined a number of commonly used backup utilities, and initially classified them into two broad categories: non-ADS aware (ADS lost during backup), and ADS aware. Further, we discovered that within the "ADS aware" category different tools behave differently, provide varying amounts of information about ADSs during backup/restore process, and often lose data. We propose a new classification of backup software based on the treatment of ADSs during backup and restore operations, and discuss its implications for forensic investigation of file system backups.
منابع مشابه
Forensic analysis of deduplicated file systems
Deduplication splits files into fragments, which are stored in a chunk repository. Deduplication stores chunks that are common to multiple files only once. From a forensics point of view, a deduplicated device is very difficult to recover and it requires a specific knowledge of how this technology operates. Deduplication starts from a whole file, and transforms it in an organized set of fragmen...
متن کاملProtecting File Systems: A Survey of Backup Techniques
This paper presents a survey of backup techniques for protecting file systems. These include such choices as device-based or file-based backup schemes, full vs. incremental backups, and optional data compression. Next, we discuss techniques for on-line backup (backups performed while users continue to access the file system); these techniques include file system locking and creating instantaneo...
متن کاملA Fusion-based Approach for Handling Multiple Faults in Distributed Systems
The paper describes a technique to correct faults in large data structures hosted on distributed servers, based on the concept of fused backups. The prevalent solution to this problem is replication. Given n distinct data structures, replication requires nf additional replicas to correct f crash faults or ⌊f/2⌋ Byzantine faults among the data structures. If each of the primaries contains O(m) n...
متن کاملA Model For The Residence Time Distribution and Holdup Measurement in a Two Impinging Streams Cyclone Reactor/Contactor in Solid-Liquid Systems
In this paper a two impinging streams cyclone contacting system suitable for handling of solid-liquid systems has been studied. Certain pertinent parameters such as: solid holdup, mean residence time and Residence Time Distribution (RTD) of solid particles have been investigated. A stochastic model based on Markov chains processes has been applied which describe the behavior of solid partic...
متن کاملOn the role of file system metadata in digital forensics
Most of the effort in today’s digital forensics community lies in the retrieval and analysis of existing information from computing systems. Little is being done to increase the quantity and quality of the forensic information on today’s computing systems. In this paper we pose the question of what kind of information is desired on a system by a forensic investigator. We give an overview of the...
متن کامل