Portal de Periódicos da CAPES

Extraction of Creation-Time for Recovered Files on Windows FAT32 File System

2019; Multidisciplinary Digital Publishing Institute; Volume: 9; Issue: 24 Linguagem: Inglês

10.3390/app9245522

2076-3417

Wan Yeon Lee, Kyong Hoon Kim, Heejo Lee,

Advanced Malware Detection Techniques

In this article, we propose a creation order reconstruction method of deleted files for the FAT32 file system with Windows operating systems. Creation order of files is established using a correlation between storage locations of the files and their directory entry locations. This method can be utilized to derive the creation-time bound of files recovered without the creation-time information. In this article, we first examine the file allocation behavior of Windows FAT32 file system. Next, based on the examined behavior, we propose a novel method that finds the creation order of deleted files after being recovered without the creation-time information. Due to complex behaviors of Windows FAT32 file system, the method may find multiple creation orders although the actual creation order is unique. In experiments with a commercial device, we confirm that the actual creation order of each recovered file belongs to one of the creation orders found by the method.