De-Wipimization: Detection of data wiping traces for investigating NTFS file system

Dong Bin Oh, Kyung Ho Park, Huy Kang Kim

Research output: Contribution to journalArticlepeer-review

Abstract

Data wiping is used to securely delete securely unwanted files. However, the misuse of data wiping can destroy pieces of evidence to be spoiled in a digital forensic investigation. To cope with the misuse of data wiping, we proposed an anti-anti-forensic method based on NTFS transaction features and a machine learning algorithm. This method allows investigators to obtain information regarding ‘which files are wiped’ and ‘which data wiping tools and data sanitization standards used’. In this study, we achieved good identification of data wiping traces in the NTFS file system. Leveraging the efficiency of machine learning models, our method effectively recognizes wiped partitions and files in the NTFS file system and identifies tools used in data sanitization.

Original languageEnglish
Article number102034
JournalComputers and Security
Volume99
DOIs
Publication statusPublished - 2020 Dec

Keywords

  • Anti-forensic
  • Cybercrime
  • Data wiping
  • Machine learning

ASJC Scopus subject areas

  • Computer Science(all)
  • Law

Fingerprint

Dive into the research topics of 'De-Wipimization: Detection of data wiping traces for investigating NTFS file system'. Together they form a unique fingerprint.

Cite this