Forensic exploration on windows File History

    Research output: Contribution to journalArticlepeer-review

    4 Citations (Scopus)

    Abstract

    Nowadays, a proliferation of flash-memory-based storage devices makes it more difficult to recover deleted files in unallocated areas. Thus, it becomes more important for forensic examiners to find and utilize backed up data generated by specially prepared backup features. As an interesting example of them, File History (FH) included since Windows 8 is a backup feature that can be set and operated by a user. To enable FH, it is required to select a storage device for file backup operations which can be almost any type of storage devices, including a local drive, USB flash drive, network drive, etc. This special backup feature of course allows users to restore backed up files and delete old backup versions whenever they want. Therefore, it is necessary to be able to analyze forensic artifacts that show user behaviors relating to FH, during examination of Windows systems. In this paper, we deeply explore Windows FH feature from a digital forensics perspective. As a result, this paper proposes a three-step examination procedure along with detailed considerations for each step. We also analyze impacts of several anti-forensic actions that users can perform intentionally or unintentionally. Finally, this work develops an open-source tool for identifying FH related artifacts and analyzing user behaviors on backup operations.

    Original languageEnglish
    Article number301134
    JournalForensic Science International: Digital Investigation
    Volume36
    DOIs
    Publication statusPublished - 2021 Mar

    Bibliographical note

    Funding Information:
    This work was supported by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by Korea government ( MSIT ) (No. 2018-0-01000 , Development of Digital Forensic Integration Platform).

    Publisher Copyright:
    © 2021 Elsevier Ltd

    Keywords

    • Anti-forensic implication
    • File backup
    • File history
    • Forensic artifact
    • Forensic procedure
    • Log analysis
    • Multi-source data analysis
    • Open-source tool
    • User behavior analysis
    • Windows forensics

    ASJC Scopus subject areas

    • Computer Science Applications
    • Information Systems
    • Pathology and Forensic Medicine
    • Law
    • Medical Laboratory Technology

    Fingerprint

    Dive into the research topics of 'Forensic exploration on windows File History'. Together they form a unique fingerprint.

    Cite this