Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224-233]

Wan Yeon Lee; Hyuckmin Kwon; Heejo Lee

doi:10.1016/j.diin.2015.09.003

Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224-233]

Wan Yeon Lee, Hyuckmin Kwon, Heejo Lee

Department of Computer Science and Engineering

Research output: Contribution to journal › Article

3 Citations (Scopus)

Abstract

Minnaard proposed a novel method that constructs a creation time bound of files recovered without time information. The method exploits a relationship between the creation order of files and their locations on a storage device managed with the Linux FAT32 file system. This creation order reconstruction method is valid only in non-wraparound situations, where the file creation time in a former position is earlier than that in a latter position. In this article, we show that if the Linux FAT32 file allocator traverses the storage space more than once, the creation time of a recovered file is possibly earlier than that of a former file and possibly later than that of a latter file on the Linux FAT32 file system. Also it is analytically verified that there are at most. n candidates for the creation time bound of each recovered file where. n is the number of traversals by the file allocator. Our analysis is evaluated by examining file allocation patterns of two commercial in-car dashboard cameras.

Original language	English
Journal	Digital Investigation
DOIs	https://doi.org/10.1016/j.diin.2015.09.003
Publication status	Accepted/In press - 2015

Fingerprint

reconstruction

Railroad cars

Cameras

candidacy

time

Linux

Equipment and Supplies

Keywords

Creation time
FAT32
Linux file system
Recovered file

ASJC Scopus subject areas

Law
Computer Science Applications
Medical Laboratory Technology

Cite this

Lee, W. Y., Kwon, H., & Lee, H. (Accepted/In press). Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224-233]. Digital Investigation. https://doi.org/10.1016/j.diin.2015.09.003

Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224-233]. / Lee, Wan Yeon; Kwon, Hyuckmin; Lee, Heejo.

In: Digital Investigation, 2015.

Research output: Contribution to journal › Article

Lee, WY, Kwon, H & Lee, H 2015, 'Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224-233]', Digital Investigation. https://doi.org/10.1016/j.diin.2015.09.003

Lee WY, Kwon H, Lee H. Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224-233]. Digital Investigation. 2015. https://doi.org/10.1016/j.diin.2015.09.003

Lee, Wan Yeon ; Kwon, Hyuckmin ; Lee, Heejo. / Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224-233]. In: Digital Investigation. 2015.

@article{8708968e015f4f399bd831f08e83b722,

title = "Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224-233]",

abstract = "Minnaard proposed a novel method that constructs a creation time bound of files recovered without time information. The method exploits a relationship between the creation order of files and their locations on a storage device managed with the Linux FAT32 file system. This creation order reconstruction method is valid only in non-wraparound situations, where the file creation time in a former position is earlier than that in a latter position. In this article, we show that if the Linux FAT32 file allocator traverses the storage space more than once, the creation time of a recovered file is possibly earlier than that of a former file and possibly later than that of a latter file on the Linux FAT32 file system. Also it is analytically verified that there are at most. n candidates for the creation time bound of each recovered file where. n is the number of traversals by the file allocator. Our analysis is evaluated by examining file allocation patterns of two commercial in-car dashboard cameras.",

keywords = "Creation time, FAT32, Linux file system, Recovered file",

author = "Lee, {Wan Yeon} and Hyuckmin Kwon and Heejo Lee",

year = "2015",

doi = "10.1016/j.diin.2015.09.003",

language = "English",

journal = "Digital Investigation",

issn = "1742-2876",

publisher = "Elsevier Limited",

}

TY - JOUR

T1 - Comments on the Linux FAT32 allocator and file creation order reconstruction [Digit Investig 11(4), 224-233]

AU - Lee, Wan Yeon

AU - Kwon, Hyuckmin

AU - Lee, Heejo

PY - 2015

Y1 - 2015

N2 - Minnaard proposed a novel method that constructs a creation time bound of files recovered without time information. The method exploits a relationship between the creation order of files and their locations on a storage device managed with the Linux FAT32 file system. This creation order reconstruction method is valid only in non-wraparound situations, where the file creation time in a former position is earlier than that in a latter position. In this article, we show that if the Linux FAT32 file allocator traverses the storage space more than once, the creation time of a recovered file is possibly earlier than that of a former file and possibly later than that of a latter file on the Linux FAT32 file system. Also it is analytically verified that there are at most. n candidates for the creation time bound of each recovered file where. n is the number of traversals by the file allocator. Our analysis is evaluated by examining file allocation patterns of two commercial in-car dashboard cameras.

AB - Minnaard proposed a novel method that constructs a creation time bound of files recovered without time information. The method exploits a relationship between the creation order of files and their locations on a storage device managed with the Linux FAT32 file system. This creation order reconstruction method is valid only in non-wraparound situations, where the file creation time in a former position is earlier than that in a latter position. In this article, we show that if the Linux FAT32 file allocator traverses the storage space more than once, the creation time of a recovered file is possibly earlier than that of a former file and possibly later than that of a latter file on the Linux FAT32 file system. Also it is analytically verified that there are at most. n candidates for the creation time bound of each recovered file where. n is the number of traversals by the file allocator. Our analysis is evaluated by examining file allocation patterns of two commercial in-car dashboard cameras.

KW - Creation time

KW - FAT32

KW - Linux file system

KW - Recovered file

UR - http://www.scopus.com/inward/record.url?scp=84951772242&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84951772242&partnerID=8YFLogxK

U2 - 10.1016/j.diin.2015.09.003

DO - 10.1016/j.diin.2015.09.003

M3 - Article

AN - SCOPUS:84951772242

JO - Digital Investigation

JF - Digital Investigation

SN - 1742-2876

ER -

Access to Document

10.1016/j.diin.2015.09.003