Extraction of creation-time for recovered files on windows FAT32 file system

Wan Yeon Lee, Kyong Hoon Kim, Heejo Lee

    Research output: Contribution to journalArticlepeer-review

    2 Citations (Scopus)

    Abstract

    In this article, we propose a creation order reconstruction method of deleted files for the FAT32 file system with Windows operating systems. Creation order of files is established using a correlation between storage locations of the files and their directory entry locations. This method can be utilized to derive the creation-time bound of files recovered without the creation-time information. In this article, we first examine the file allocation behavior of Windows FAT32 file system. Next, based on the examined behavior, we propose a novel method that finds the creation order of deleted files after being recovered without the creation-time information. Due to complex behaviors of Windows FAT32 file system, the method may find multiple creation orders although the actual creation order is unique. In experiments with a commercial device, we confirm that the actual creation order of each recovered file belongs to one of the creation orders found by the method.

    Original languageEnglish
    Article number5522
    JournalApplied Sciences (Switzerland)
    Volume9
    Issue number24
    DOIs
    Publication statusPublished - 2019 Dec 1

    Keywords

    • Creation-time
    • FAT32 file system
    • File allocation behavior
    • Order reconstruction
    • Recovered file

    ASJC Scopus subject areas

    • Materials Science(all)
    • Instrumentation
    • Engineering(all)
    • Process Chemistry and Technology
    • Computer Science Applications
    • Fluid Flow and Transfer Processes

    Fingerprint

    Dive into the research topics of 'Extraction of creation-time for recovered files on windows FAT32 file system'. Together they form a unique fingerprint.

    Cite this