Abstract
Minnaard proposed a novel method that constructs a creation time bound of files recovered without time information. The method exploits a relationship between the creation order of files and their locations on a storage device managed with the Linux FAT32 file system. This creation order reconstruction method is valid only in non-wraparound situations, where the file creation time in a former position is earlier than that in a latter position. In this article, we show that if the Linux FAT32 file allocator traverses the storage space more than once, the creation time of a recovered file is possibly earlier than that of a former file and possibly later than that of a latter file on the Linux FAT32 file system. Also it is analytically verified that there are at most n candidates for the creation time bound of each recovered file where n is the number of traversals by the file allocator. Our analysis is evaluated by examining file allocation patterns of two commercial in-car dashboard cameras.
| Original language | English |
|---|---|
| Pages (from-to) | 119-123 |
| Number of pages | 5 |
| Journal | Digital Investigation |
| Volume | 15 |
| DOIs | |
| Publication status | Published - 2015 Dec 1 |
Bibliographical note
Funding Information:This research was supported by the Public Welfare & Safety Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT & Future Planning ( 2012M3A2A1051118 ).
Keywords
- Creation time
- FAT32
- Linux file system
- Recovered file
ASJC Scopus subject areas
- Pathology and Forensic Medicine
- Information Systems
- Computer Science Applications
- Medical Laboratory Technology
- Law