Extraction of creation-time for recovered files on windows FAT32 file system

Wan Yeon Lee, Kyong Hoon Kim, Heejo Lee

Research output: Contribution to journalArticlepeer-review

5 Scopus citations

Abstract

In this article, we propose a creation order reconstruction method of deleted files for the FAT32 file system with Windows operating systems. Creation order of files is established using a correlation between storage locations of the files and their directory entry locations. This method can be utilized to derive the creation-time bound of files recovered without the creation-time information. In this article, we first examine the file allocation behavior of Windows FAT32 file system. Next, based on the examined behavior, we propose a novel method that finds the creation order of deleted files after being recovered without the creation-time information. Due to complex behaviors of Windows FAT32 file system, the method may find multiple creation orders although the actual creation order is unique. In experiments with a commercial device, we confirm that the actual creation order of each recovered file belongs to one of the creation orders found by the method.

Original languageEnglish
Article number5522
JournalApplied Sciences (Switzerland)
Volume9
Issue number24
DOIs
StatePublished - 1 Dec 2019

Keywords

  • Creation-time
  • FAT32 file system
  • File allocation behavior
  • Order reconstruction
  • Recovered file

Fingerprint

Dive into the research topics of 'Extraction of creation-time for recovered files on windows FAT32 file system'. Together they form a unique fingerprint.

Cite this