Abstract
In this article, we propose a creation order reconstruction method of deleted files for the FAT32 file system with Windows operating systems. Creation order of files is established using a correlation between storage locations of the files and their directory entry locations. This method can be utilized to derive the creation-time bound of files recovered without the creation-time information. In this article, we first examine the file allocation behavior of Windows FAT32 file system. Next, based on the examined behavior, we propose a novel method that finds the creation order of deleted files after being recovered without the creation-time information. Due to complex behaviors of Windows FAT32 file system, the method may find multiple creation orders although the actual creation order is unique. In experiments with a commercial device, we confirm that the actual creation order of each recovered file belongs to one of the creation orders found by the method.
Original language | English |
---|---|
Article number | 5522 |
Journal | Applied Sciences (Switzerland) |
Volume | 9 |
Issue number | 24 |
DOIs | |
State | Published - 1 Dec 2019 |
Keywords
- Creation-time
- FAT32 file system
- File allocation behavior
- Order reconstruction
- Recovered file