De-Wipimization: Detection of data wiping traces for investigating NTFS file system

Dong Bin Oh; Kyung Ho Park; Huy Kang Kim

doi:10.1016/j.cose.2020.102034

De-Wipimization: Detection of data wiping traces for investigating NTFS file system

Dong Bin Oh, Kyung Ho Park, Huy Kang Kim

School of Cybersecurity

Research output: Contribution to journal › Article › peer-review

3 Citations (Scopus)

Abstract

Data wiping is used to securely delete securely unwanted files. However, the misuse of data wiping can destroy pieces of evidence to be spoiled in a digital forensic investigation. To cope with the misuse of data wiping, we proposed an anti-anti-forensic method based on NTFS transaction features and a machine learning algorithm. This method allows investigators to obtain information regarding ‘which files are wiped’ and ‘which data wiping tools and data sanitization standards used’. In this study, we achieved good identification of data wiping traces in the NTFS file system. Leveraging the efficiency of machine learning models, our method effectively recognizes wiped partitions and files in the NTFS file system and identifies tools used in data sanitization.

Original language	English
Article number	102034
Journal	Computers and Security
Volume	99
DOIs	https://doi.org/10.1016/j.cose.2020.102034
Publication status	Published - 2020 Dec

Keywords

Anti-forensic
Cybercrime
Data wiping
Machine learning

ASJC Scopus subject areas

Computer Science(all)
Law

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.1016/j.cose.2020.102034

Cite this

@article{4b1846f57b724c548bf8ac17158127e7,

title = "De-Wipimization: Detection of data wiping traces for investigating NTFS file system",

abstract = "Data wiping is used to securely delete securely unwanted files. However, the misuse of data wiping can destroy pieces of evidence to be spoiled in a digital forensic investigation. To cope with the misuse of data wiping, we proposed an anti-anti-forensic method based on NTFS transaction features and a machine learning algorithm. This method allows investigators to obtain information regarding {\textquoteleft}which files are wiped{\textquoteright} and {\textquoteleft}which data wiping tools and data sanitization standards used{\textquoteright}. In this study, we achieved good identification of data wiping traces in the NTFS file system. Leveraging the efficiency of machine learning models, our method effectively recognizes wiped partitions and files in the NTFS file system and identifies tools used in data sanitization.",

keywords = "Anti-forensic, Cybercrime, Data wiping, Machine learning",

author = "Oh, {Dong Bin} and Park, {Kyung Ho} and Kim, {Huy Kang}",

note = "Funding Information: This work was supported by Institute of Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No. 2018-0-00232, Cloud-based IoT Threat Autonomic Analysis and Response Technology). Funding Information: This work was supported by Institute of Information & communications Technology Planning & Evaluation ( IITP ) grant funded by the Korea government (MSIT) (No. 2018-0-00232 , Cloud-based IoT Threat Autonomic Analysis and Response Technology). Publisher Copyright: {\textcopyright} 2020 Elsevier Ltd",

year = "2020",

month = dec,

doi = "10.1016/j.cose.2020.102034",

language = "English",

volume = "99",

journal = "Computers and Security",

issn = "0167-4048",

publisher = "Elsevier Limited",

}

TY - JOUR

T1 - De-Wipimization

T2 - Detection of data wiping traces for investigating NTFS file system

AU - Oh, Dong Bin

AU - Park, Kyung Ho

AU - Kim, Huy Kang

N1 - Funding Information: This work was supported by Institute of Information & communications Technology Planning & Evaluation (IITP) grant funded by the Korea government (MSIT) (No. 2018-0-00232, Cloud-based IoT Threat Autonomic Analysis and Response Technology). Funding Information: This work was supported by Institute of Information & communications Technology Planning & Evaluation ( IITP ) grant funded by the Korea government (MSIT) (No. 2018-0-00232 , Cloud-based IoT Threat Autonomic Analysis and Response Technology). Publisher Copyright: © 2020 Elsevier Ltd

PY - 2020/12

Y1 - 2020/12

N2 - Data wiping is used to securely delete securely unwanted files. However, the misuse of data wiping can destroy pieces of evidence to be spoiled in a digital forensic investigation. To cope with the misuse of data wiping, we proposed an anti-anti-forensic method based on NTFS transaction features and a machine learning algorithm. This method allows investigators to obtain information regarding ‘which files are wiped’ and ‘which data wiping tools and data sanitization standards used’. In this study, we achieved good identification of data wiping traces in the NTFS file system. Leveraging the efficiency of machine learning models, our method effectively recognizes wiped partitions and files in the NTFS file system and identifies tools used in data sanitization.

AB - Data wiping is used to securely delete securely unwanted files. However, the misuse of data wiping can destroy pieces of evidence to be spoiled in a digital forensic investigation. To cope with the misuse of data wiping, we proposed an anti-anti-forensic method based on NTFS transaction features and a machine learning algorithm. This method allows investigators to obtain information regarding ‘which files are wiped’ and ‘which data wiping tools and data sanitization standards used’. In this study, we achieved good identification of data wiping traces in the NTFS file system. Leveraging the efficiency of machine learning models, our method effectively recognizes wiped partitions and files in the NTFS file system and identifies tools used in data sanitization.

KW - Anti-forensic

KW - Cybercrime

KW - Data wiping

KW - Machine learning

UR - http://www.scopus.com/inward/record.url?scp=85090998215&partnerID=8YFLogxK

U2 - 10.1016/j.cose.2020.102034

DO - 10.1016/j.cose.2020.102034

M3 - Article

AN - SCOPUS:85090998215

SN - 0167-4048

VL - 99

JO - Computers and Security

JF - Computers and Security

M1 - 102034

ER -

De-Wipimization: Detection of data wiping traces for investigating NTFS file system

Abstract

Keywords

ASJC Scopus subject areas

UN SDGs

Access to Document

Other files and links

Fingerprint

Cite this