Abstract
Aim to repair EXFAT file system, a file system reconstruction algorithm based on cluster size assumption and computational verification is proposed. Firstly, an experimental verification study is conducted on the key BPB parameters such as cluster size and first cluster start sector number in Windows EXFAT. After that, the algorithm for calculating and verifying the cluster size is proposed. Finally, the EXFAT file reconstruction system is designed and implemented. Experiments and comparative analysis are carried out with existing algorithms and popular software. The results show that the proposed algorithm is superior in terms of the success rate, temporal attribute, file content, directory structure, as well as the efficiency of its execution. It has great potential in the applications of reconstruction of EXFAT File System formatted by Windows system.
Funded by: 2022 Natural Science General Project of Hunan Biological and Electromechanical Polytechnic “Research and implementation of the Windows EXFAT electronic forensics system based on BPB key parameter calculation and hypothesis verification” (Item No. 22YZK02).
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Yoo, B., Park, J., Lim, S., Bang, J., Lee, S.: A study on multimedia file carving method. Multimedia Tools Appl. 61(1), 243–261 (2011). https://doi.org/10.1007/s11042-010-0704-y
Pal, A.: Memon, N.: The evolution of file carving. Sig. Process. Mag. IEEE 26(2), 59–71 (2009)
Vrizlynn, L.L., Ying, T., et al.: Design and analysis of inequality based fragmented file carving algorithms. China Commun. 7(6), 1–9 (2010)
Oh, J., Lee, S., Hwang, H.: NTFS data tracker: tracking file data history based on $LogFile. Forensic Sci. Int. Digit. Investig. (39-), 39 (2021)
Karresand, M., Axelsson, S., Dyrkolbotn, G.O.: Disk cluster allocation behavior in windows and NTFS. Mob. Netw. Appl. 25(3) (2020)
Karresand, M., Axelsson, S., Dyrkolbotn, G.O.: Using NTFS cluster allocation behavior to find the location of user data. Digit. Investig. 29, S51–S60 (2019)
Wan, Y.L., Kim, K.H., Lee, H.: Extraction of creation-time for recovered files on windows FAT32 file system. Appl. Sci. 9(24), 5522 (2019)
Alhussein, M., Srinivasan, A., Wijesekera, D.: Forensics filesystem with cluster-level identifiers for efficient data recovery. In: International Conference for Internet Technology and Secured Transactions. IEEE (2012)
Alhussein, M., Wijesekera, D.: Multi-version data recovery for cluster identifier forensics filesystem with identifier integrity. Int. J. Intell. Comput. Res. 4(3), 348–353 (2013)
Fellows, G.: NTFS volume mounts, directory junctions and $Reparse. Digit. Investig. 4(3–4), 116–118 (2007)
Cho, G.-S.: A computer forensic method for detecting timestamp forgery in NTFS. Comput. Secur. 34, 36–46 (2013)
Bo, D., Park, K.H., Kim, H.K.: De-wipimization: detection of data wiping traces for investigating NTFS file system. Comput. Secur. 99 (2020)
Dp, A., Fba, B.: Artifacts for detecting timestamp manipulation in NTFS on windows and their reliability. Forensic Sci. Int. Digit. Investig. 32 (2020)
Lee, W.Y., Kwon, H., Lee, H.: Comments on the Linux FAT32 allocator and file creation order reconstruction. Digit. Investig. 11(4), 224–233 (2015). 15(DEC.), 119–123
Minnaard, W.: The Linux FAT32 allocator and file creation order reconstruction. Digit. Investig. 11(3), 224–233 (2014)
Karresand, M., Dyrkolbotn, G.O., Axelsson, S.: An empirical study of the NTFS cluster allocation behavior over time. Forensic Sci. Int. Digit. Investig. (Jul.), 33S (2020)
Nordvik, R., Toolan, F., Axelsson, S.: Using the object ID index as an investigative approach for NTFS file systems. Digit. Investig. 28S(APR.), S30–S39 (2019)
Ma, G., Wang, Z., Cheng, Y.: Recovery of evidence and the judicial identification of electronic data based on EXFAT. In: International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, pp. 66–71, October 2015
Xie, J., Gao, H.: Statistical correlation and K-means based distinguishable gene subset selection algorithms. J. Softw. 25(9), 2050–2075 (2014). (in Chinese)
Vandermeer, Y., Le-Khac, N.A., Carthy, J., Kechadi, T.: Forensic analysis of the EXFAT artefacts. In: Proceedings of the Conference on Digital Forensics, Security and Law, pp. 83–96, 14p (2018)
Sitompul, O.S., Handoko, A., Rahmat, R.F.: File reconstruction in digital forensic. TELKOMNIKA Indonesian J. Electr. Eng. 16. https://doi.org/10.12928/TELKOMNIKA.v16i2.8230
Sitompul, O.S., Handoko, A., Rahmat, R.F.: IEEE 2016 International Conference on Informatics and Computing (ICIC) - Mataram, Indonesia (2016.10.28–2016.10.29). 2016 International Conference on Informatics and Computing (ICIC) - A File Undelete with Aho-Corasick Algorithm in File Recovery, 427–431 (2016)
Sahib, H.I., Rahman, N., Alqasi, A.K., et al. Comparison of Data Recovery Techniques on (MFT) Between Aho-crosick and Logical Data Recovery Based on Efficiency. TELKOMNIKA (Telecommunication Computing Electronics and Control), 19(1)(February 2021), 73–78 (2021)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2024 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Lu, E., Peng, F. (2024). Research and Implementation of EXFAT File System Reconstruction Algorithm Based on Cluster Size Assumption and Computational Verification. In: Vaidya, J., Gabbouj, M., Li, J. (eds) Artificial Intelligence Security and Privacy. AIS&P 2023. Lecture Notes in Computer Science, vol 14509. Springer, Singapore. https://doi.org/10.1007/978-981-99-9785-5_21
Download citation
DOI: https://doi.org/10.1007/978-981-99-9785-5_21
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-9784-8
Online ISBN: 978-981-99-9785-5
eBook Packages: Computer ScienceComputer Science (R0)