Extraction of creation-time for recovered files on windows FAT32 file system

Wan Yeon Lee, Kyong Hoon Kim, Heejo Lee

Research output: Contribution to journalArticle

2 Citations (Scopus)

Abstract

In this article, we propose a creation order reconstruction method of deleted files for the FAT32 file system with Windows operating systems. Creation order of files is established using a correlation between storage locations of the files and their directory entry locations. This method can be utilized to derive the creation-time bound of files recovered without the creation-time information. In this article, we first examine the file allocation behavior of Windows FAT32 file system. Next, based on the examined behavior, we propose a novel method that finds the creation order of deleted files after being recovered without the creation-time information. Due to complex behaviors of Windows FAT32 file system, the method may find multiple creation orders although the actual creation order is unique. In experiments with a commercial device, we confirm that the actual creation order of each recovered file belongs to one of the creation orders found by the method.

Original languageEnglish
Article number5522
JournalApplied Sciences (Switzerland)
Volume9
Issue number24
DOIs
Publication statusPublished - 2019 Dec 1

Keywords

  • Creation-time
  • FAT32 file system
  • File allocation behavior
  • Order reconstruction
  • Recovered file

ASJC Scopus subject areas

  • Materials Science(all)
  • Instrumentation
  • Engineering(all)
  • Process Chemistry and Technology
  • Computer Science Applications
  • Fluid Flow and Transfer Processes

Fingerprint Dive into the research topics of 'Extraction of creation-time for recovered files on windows FAT32 file system'. Together they form a unique fingerprint.

Cite this