Media analyses based on Microsoft NTFS file ownership Writer ： Fred C. Kerr Information Systems Management, Applied Management and Decision Sciences, Walden.

Slides:

Advertisements

Similar presentations

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Advertisements

Computer Forensics and Digital Investigation – a brief introduction Ulf Larson/Erland Jonsson.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

Forensic and Investigative Accounting

Chapter Chapter 13-2 Chapter 13 Data Modeling Introduction An Overview of Databases Steps in Creating a Database Using Rea Creating Database Tables.

MIS Chapter 51 Chapter 5 – Managing File Access MIS 431 Created Spring 2006.

Computer Forensics Principles and Practices by Volonino, Anzaldua, and Godwin Chapter 6: Operating Systems and Data Transmission Basics for Digital Investigations.

By Rashid Khan Lesson 8-Crowd Control: Controlling Access to Resources Using Groups.

5.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 5: Working with File Systems.

Installing Windows XP Professional Using Attended Installation Slide 1 of 41Session 2 Ver. 1.0 CompTIA A+ Certification: A Comprehensive Approach for all.

® Microsoft Office 2010 Managing Your Files. XP Files in a Folder Window.

Maintaining Windows Server 2008 File Services

Access Control Lists and NTFS Permissions INFO333 – Lecture Mariusz Nowostawski Noria Foukia.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.

1 Group Account Administration Introduction to Groups Planning a Group Strategy Creating Groups Understanding Default Groups Groups for Administrators.

What is FORENSICS? Why do we need Network Forensics?

XP Chapter 2 Succeeding in Business with Microsoft Office Access 2003: A Problem-Solving Approach 1 Building The Database Chapter 2 “It is only the farmer.

Managing, Organizing and Finding Files, Information, Shared Folders and Offline Folders powered by dj.

A Web-based Item Bank Search, View, and Select Items for Saving, Editing, and Printing (online testing available too) - Multiple.

CHAPTER FOUR COMPUTER SOFTWARE.

BTEC National Diploma – IT Practitioners Unit 16 - Maintaining Computer Systems.

File System Management File system management encompasses the provision of a way to store your data in a computer, as well as a way for you to find and.

Technology in Computer Forensics  Alicia Castro  Thesis Defense  Master of Software Engineering  Department of Computer Science  University of Colorado,

1J. M. Kizza - Ethical And Social Issues Module 13: Computer Investigations Introduction Introduction Digital Evidence Digital Evidence Preserving Evidence.

MD5 Summary and Computer Examination Process Introduction to Computer Forensics.

Chapter 10: Rights, User, and Group Administration.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 11: Managing Access to File System Resources.

Hospitality Screen Online Selection Process. The Hospitality Screen is designed to provide insight into the strengths of individuals seeking positions.

AUDIT IN COMPUTERIZED ENVIRONMENT

 Forensics  Application of scientific knowledge to a problem  Computer Forensics  Application of the scientific method in reconstructing a sequence.

Microsoft Windows XP Professional MCSE Exam

Forensics Jeff Wang Code Mentor: John Zhu (IT Support)

1 Introduction to NTFS Permissions Assign NTFS permissions to specify Which users and groups can gain access to folders and files What they can do with.

Understand Audit Policies LESSON Security Fundamentals.

SOCSAMS e-learning Dept. of Computer Applications, MES College Marampally FILE SYSTEM.

Forensic and Investigative Accounting Chapter 13 Computer Forensics: A Brief Introduction © 2007 CCH. All Rights Reserved W. Peterson Ave. Chicago,

Digital Forensics Market Analysis: By Forensic Tools; By Application (Network Forensics, Mobile Forensics, Database Forensics, Computer Forensics) - Forecast.

Investigations 2016 First semester [ 12 week ]-Forensic Analysis of the Windows 7 Registry.

2Operating Systems  Program that runs on a computer  Manages hardware resources  Allows for execution of programs  Acts as an intermediary between.

Hands-On Microsoft Windows Server 2008 Chapter 5 Configuring, Managing, and Troubleshooting Resource Access.

Unit 4 – Technology literacy

Lecture 1-Part 2: Operating-System Structures

Introduction to NTFS Permissions

Dept. of Computer & Information Sciences

Lesson 4: Configuring File and Share Access

MCTS Guide to Microsoft Windows 7

Knut Kröger & Reiner Creutzburg

Computer Software Created by Ann Ware

File Management.

Windows Operating Systems (Cont.)

Access Lesson 1 Understanding Access Fundamentals

Setting the Permissions

Extract and Correlate Evidences in Computer Forensics

Lesson 9 Windows Management

Managing Your Files.

Software Introduction

Managing Data by Using NTFS

Microsoft Office Access 2003

Managing Data by Using NTFS

What is Concurrent Programming?

Chapter 9: Managing Groups, Folders, Files, and Object Security

Software - Operating Systems

Introducing NTFS Reliability Security Long file names Efficiency

Creating and Managing Folders

Microsoft Office Illustrated Fundamentals

Partitioning & Formatting

Figure 6-13: Managing Permissions

Windows Operating System

Presentation transcript:

Media analyses based on Microsoft NTFS file ownership Writer ： Fred C. Kerr Information Systems Management, Applied Management and Decision Sciences, Walden university, USA Presentation : Forensic Science International, 28. July Reporter ： Sparker

Introduction The object “ ownership ” property of files and folders within NTFS is an yet little-used method to profile computer users via allocated files and folders that they “ own ”. Major challenges faced by the digital investigators are the rapid growth of media size, number of computer systems, and the amount of information stored.

The paradox of digital crime Commit a digital crime versus investigate a digital crime. Digital crime is easy to commit, while detecting and investigating them is quite difficult. An improved methodology is more efficient and effective than increasing the numbers of digital forensic examiners.

The need for a “ Big-Picture ” view of digital media The size of digital media has grown so large it si often difficult to digest. The military had an immediate tactical need for information, a quick view of the media designed to optimize collection of mission-essential evidence, this is called “battle damage assessment”.

Digital fingerprint The NTFS adds security measures which are based upon the concept of “ownership”of files and folders on computer system. Every object in NTFS has an “owner”, by default, an object’s creator is it’s owner and establishes and regulates an object’s security permission. Each authorized user in the NTFS file system is represented by a unique security identifier (SID) number.

Methodology General Platforms Examination

Results This is the first system to portray file and folders information in an overall “ big-picture ” view of one or more entire hard drives. A series of crosstab reports were created in the database displaying files and folders that were owned by particular user SIDs.

Results (contd.) These profiles first grouped file extensions into arbitrary classification (compressed, , executable, graphics, Internet, logs, office, and shortcuts) From this “ big-picture ” view, a second level was created (a drill-down display) to show more detail by user SID depicting the specific numbers of files by extension making up the initial groupings. An additional level of drill-down was created to display specific file information (file names, full path, etc.) for any specific extension of interest.

Potential limitations Examination using owner SID are not panacea, but they do provide an additional tool for the digital forensic examiner. There are two potential limitations associated with using owner SID as a profiling technique. The first is that it pertains to allocated files only. The second is that it is possible to change the owner SID.

Potential forensic uses Correlation of logged-on user SID with files/folders owned by that SID could aid in reconstruction of activities within a specified timeline. Such a timeline could incorporate the SID-based entries found in the Windows Event Logs as well.

Conclusions and further research In terms of pre-examination screening of media, profiling user activity via owner SIDs on a computer system provide potential value to a digital investigator. Profiling concepts might be extended to another system such as UNIX and LINUX.