DOI QR코드

DOI QR Code

Ordinary B-tree vs NTFS B-tree: A Digital Forensics Perspectives

  • Cho, Gyu-Sang (School of Public Technology Service, Dongyang University)
  • Received : 2017.08.03
  • Accepted : 2017.08.14
  • Published : 2017.08.31

Abstract

In this paper, we discuss the differences between an ordinary B-tree and B-tree implemented by NTFS. There are lots of distinctions between the two B-tree, if not understand the distinctions fully, it is difficult to utilize and analyze artifacts of NTFS. Not much, actually, is known about the implementation of NTFS, especially B-tree index for directory management. Several items of B-tree features are performed that includes a node size, minimum number of children, root node without children, type of key, key sorting, type of pointer to child node, expansion and reduction of node, return of node. Furthermore, it is emphasized the fact that NTFS use B-tree structure not B+structure clearly.

Keywords

References

  1. Jun Huang and Shunxiang Wu, "The Research of Fast File Destruction Based on NTFS", ECICE 2012, AISC 146, pp. 613-619.
  2. Ellis Horowitz, Sartaj Sahni, Dinesh P. Mehta, Fundamentals of Data Structures in C++, 2nd Ed., Silicon Press, 2007.
  3. Wikipedia, "B+ tree", https://en.wikipedia.org/wiki/B+tree.
  4. Dominic Giampaolo, Practical File System Design: The Be File System, pp. 40-44, Morgan Kaufmann Publishers, Inc., 1999
  5. M. Russinovich, "Inside Win2K NTFS, Part 1". MSDN. Microsoft. Retrieved 2008-04-18.
  6. William Ballenthin, "NTFS INDX Attribute Parsing," http://www.williballenthin.com/forensics/indx/index.html.
  7. Chad Tilbury, "NTFS $I30 Index Attributes: Evidence of Deleted and Overwritten Files," SANS Digital Forensics and Incident Response Blog, http://digital-forensics.sans.org.
  8. William Ballenthin and Jeff Hamm, "Incident Response with NTFS INDX Buffers - Parts 1, 2, 3 and 4," https://www.mandiant.com/blog author/willi-ballenthin/
  9. Gyu-Sang Cho, "NTFS Directory Index Analysis for Computer Forensics", Proceedings of IMIS 2015, , Brazil, pp. 441-446, July 2015,
  10. Gyu-Sang Cho, "A New NTFS Anti-Forensic Technique for NTFS Index Entry", The Journal of Korea Institute of Information, Electronics, and Communication Technology (ISSN 2005-081X), vol. 8, no. 4, August 2015.
  11. Gyu-Sang Cho, "An Anti-Forensic Technique for Hiding Data in NTFS Index Record with a Unicode Transformation", Journal of Korea Convergence Security Association, Vol. 16, No. 7, pp. 75-84, July 2015.
  12. Gyu-Sang Cho, "A Digital Forensic Analysis for Directory in Windows File System", J. of Korea Society. of Digital Industry & Information Management, vol. 11, no. 2, pp. 73-90, June 2015. https://doi.org/10.17662/ksdim.2015.11.2.073
  13. Wikipedia, "B-tree", http://en.wikipedia.org/wiki/B-tree.
  14. Microsoft TechNet, "How NTFS Works", https://technet. microsoft.com/en-us/library/cc781134(v=ws.10).aspx.
  15. Wikipedia, "NTFS", http://en.wikipedia.org/wiki /NTFS.
  16. B. Carrier, File System Forensic Analysis, Addison -Wesley, 2005, pp. 273-396.
  17. Wicher Minnaard, "Timestomping NTFS," IMSc final research project report, University of Amsterdam, Faculty of Natural Sciences, Mathematics and Computer Science, 2014.
  18. Wasim Ahmad Bhat and S. M. K. Quadri, "A Quick Review of On-Disk Layout of Some Popular Disk File Systems", Global Journal of Computer Science & Technology, Volume 11 Issue 1, April 2011.
  19. Petra Grd and Miroslav Baca, "Analysis of B-tree data structure and its usage in computer forensics", Proc. of the 21st Central European Conf. on Information and Intelligent Systems", pp. 423-428, Jan. 2010.
  20. Microsoft Technet, Fsutil behavior, https://technet.microsoft.com/en-us/library/cc785435(v=ws.11).aspx