Abstract
Nowadays, a proliferation of flash-memory-based storage devices makes it more difficult to recover deleted files in unallocated areas. Thus, it becomes more important for forensic examiners to find and utilize backed up data generated by specially prepared backup features. As an interesting example of them, File History (FH) included since Windows 8 is a backup feature that can be set and operated by a user. To enable FH, it is required to select a storage device for file backup operations which can be almost any type of storage devices, including a local drive, USB flash drive, network drive, etc. This special backup feature of course allows users to restore backed up files and delete old backup versions whenever they want. Therefore, it is necessary to be able to analyze forensic artifacts that show user behaviors relating to FH, during examination of Windows systems. In this paper, we deeply explore Windows FH feature from a digital forensics perspective. As a result, this paper proposes a three-step examination procedure along with detailed considerations for each step. We also analyze impacts of several anti-forensic actions that users can perform intentionally or unintentionally. Finally, this work develops an open-source tool for identifying FH related artifacts and analyzing user behaviors on backup operations.
Original language | English |
---|---|
Article number | 301134 |
Journal | Forensic Science International: Digital Investigation |
Volume | 36 |
DOIs | |
Publication status | Published - 2021 Mar |
Bibliographical note
Funding Information:This work was supported by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by Korea government ( MSIT ) (No. 2018-0-01000 , Development of Digital Forensic Integration Platform).
Publisher Copyright:
© 2021 Elsevier Ltd
Keywords
- Anti-forensic implication
- File backup
- File history
- Forensic artifact
- Forensic procedure
- Log analysis
- Multi-source data analysis
- Open-source tool
- User behavior analysis
- Windows forensics
ASJC Scopus subject areas
- Computer Science Applications
- Information Systems
- Pathology and Forensic Medicine
- Law
- Medical Laboratory Technology