Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224-233]

Wan Yeon Lee; Hyuckmin Kwon; Heejo Lee

doi:10.1016/j.diin.2015.09.003

Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224-233]

Wan Yeon Lee, Hyuckmin Kwon, Heejo Lee

Research output: Contribution to journal › Article › peer-review

4 Citations (Scopus)

Abstract

Minnaard proposed a novel method that constructs a creation time bound of files recovered without time information. The method exploits a relationship between the creation order of files and their locations on a storage device managed with the Linux FAT32 file system. This creation order reconstruction method is valid only in non-wraparound situations, where the file creation time in a former position is earlier than that in a latter position. In this article, we show that if the Linux FAT32 file allocator traverses the storage space more than once, the creation time of a recovered file is possibly earlier than that of a former file and possibly later than that of a latter file on the Linux FAT32 file system. Also it is analytically verified that there are at most n candidates for the creation time bound of each recovered file where n is the number of traversals by the file allocator. Our analysis is evaluated by examining file allocation patterns of two commercial in-car dashboard cameras.

Original language	English
Pages (from-to)	119-123
Number of pages	5
Journal	Digital Investigation
Volume	15
DOIs	https://doi.org/10.1016/j.diin.2015.09.003
Publication status	Published - 2015 Dec 1

Keywords

Creation time
FAT32
Linux file system
Recovered file

ASJC Scopus subject areas

Pathology and Forensic Medicine
Information Systems
Computer Science Applications
Medical Laboratory Technology
Law

Access to Document

10.1016/j.diin.2015.09.003

Cite this

@article{8708968e015f4f399bd831f08e83b722,

title = "Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224-233]",

abstract = "Minnaard proposed a novel method that constructs a creation time bound of files recovered without time information. The method exploits a relationship between the creation order of files and their locations on a storage device managed with the Linux FAT32 file system. This creation order reconstruction method is valid only in non-wraparound situations, where the file creation time in a former position is earlier than that in a latter position. In this article, we show that if the Linux FAT32 file allocator traverses the storage space more than once, the creation time of a recovered file is possibly earlier than that of a former file and possibly later than that of a latter file on the Linux FAT32 file system. Also it is analytically verified that there are at most n candidates for the creation time bound of each recovered file where n is the number of traversals by the file allocator. Our analysis is evaluated by examining file allocation patterns of two commercial in-car dashboard cameras.",

keywords = "Creation time, FAT32, Linux file system, Recovered file",

author = "Lee, {Wan Yeon} and Hyuckmin Kwon and Heejo Lee",

note = "Funding Information: This research was supported by the Public Welfare & Safety Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT & Future Planning ( 2012M3A2A1051118 ).",

year = "2015",

month = dec,

day = "1",

doi = "10.1016/j.diin.2015.09.003",

language = "English",

volume = "15",

pages = "119--123",

journal = "Digital Investigation",

issn = "1742-2876",

publisher = "Elsevier Limited",

}

TY - JOUR

T1 - Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224-233]

AU - Lee, Wan Yeon

AU - Kwon, Hyuckmin

AU - Lee, Heejo

N1 - Funding Information: This research was supported by the Public Welfare & Safety Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Science, ICT & Future Planning ( 2012M3A2A1051118 ).

PY - 2015/12/1

Y1 - 2015/12/1

N2 - Minnaard proposed a novel method that constructs a creation time bound of files recovered without time information. The method exploits a relationship between the creation order of files and their locations on a storage device managed with the Linux FAT32 file system. This creation order reconstruction method is valid only in non-wraparound situations, where the file creation time in a former position is earlier than that in a latter position. In this article, we show that if the Linux FAT32 file allocator traverses the storage space more than once, the creation time of a recovered file is possibly earlier than that of a former file and possibly later than that of a latter file on the Linux FAT32 file system. Also it is analytically verified that there are at most n candidates for the creation time bound of each recovered file where n is the number of traversals by the file allocator. Our analysis is evaluated by examining file allocation patterns of two commercial in-car dashboard cameras.

AB - Minnaard proposed a novel method that constructs a creation time bound of files recovered without time information. The method exploits a relationship between the creation order of files and their locations on a storage device managed with the Linux FAT32 file system. This creation order reconstruction method is valid only in non-wraparound situations, where the file creation time in a former position is earlier than that in a latter position. In this article, we show that if the Linux FAT32 file allocator traverses the storage space more than once, the creation time of a recovered file is possibly earlier than that of a former file and possibly later than that of a latter file on the Linux FAT32 file system. Also it is analytically verified that there are at most n candidates for the creation time bound of each recovered file where n is the number of traversals by the file allocator. Our analysis is evaluated by examining file allocation patterns of two commercial in-car dashboard cameras.

KW - Creation time

KW - FAT32

KW - Linux file system

KW - Recovered file

UR - http://www.scopus.com/inward/record.url?scp=84951772242&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84951772242&partnerID=8YFLogxK

U2 - 10.1016/j.diin.2015.09.003

DO - 10.1016/j.diin.2015.09.003

M3 - Article

AN - SCOPUS:84951772242

VL - 15

SP - 119

EP - 123

JO - Digital Investigation

JF - Digital Investigation

SN - 1742-2876

ER -

Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224-233]

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this