1. Media analyses based on Microsoft NTFS file ownership Writer ： Fred C. Kerr Information Systems Management, Applied Management and Decision Sciences, Walden university, USA Presentation : Forensic Science International, 28. July. 2006 Reporter ： Sparker

2. Introduction The object “ ownership ” property of files and folders within NTFS is an yet little-used method to profile computer users via allocated files and folders that they “ own ”. Major challenges faced by the digital investigators are the rapid growth of media size, number of computer systems, and the amount of information stored.

3. The paradox of digital crime Commit a digital crime versus investigate a digital crime. Digital crime is easy to commit, while detecting and investigating them is quite difficult. An improved methodology is more efficient and effective than increasing the numbers of digital forensic examiners.

4. The need for a “ Big-Picture ” view of digital media The size of digital media has grown so large it si often difficult to digest. The military had an immediate tactical need for information, a quick view of the media designed to optimize collection of mission-essential evidence, this is called “battle damage assessment”.

5. Digital fingerprint The NTFS adds security measures which are based upon the concept of “ownership”of files and folders on computer system. Every object in NTFS has an “owner”, by default, an object’s creator is it’s owner and establishes and regulates an object’s security permission. Each authorized user in the NTFS file system is represented by a unique security identifier (SID) number.

6. Methodology General Platforms Examination

7. Results This is the first system to portray file and folders information in an overall “ big-picture ” view of one or more entire hard drives. A series of crosstab reports were created in the database displaying files and folders that were owned by particular user SIDs.

8. Results (contd.) These profiles first grouped file extensions into arbitrary classification (compressed, e-mail, executable, graphics, Internet, logs, office, and shortcuts) From this “ big-picture ” view, a second level was created (a drill-down display) to show more detail by user SID depicting the specific numbers of files by extension making up the initial groupings. An additional level of drill-down was created to display specific file information (file names, full path, etc.) for any specific extension of interest.

9. Potential limitations Examination using owner SID are not panacea, but they do provide an additional tool for the digital forensic examiner. There are two potential limitations associated with using owner SID as a profiling technique. The first is that it pertains to allocated files only. The second is that it is possible to change the owner SID.

10. Potential forensic uses Correlation of logged-on user SID with files/folders owned by that SID could aid in reconstruction of activities within a specified timeline. Such a timeline could incorporate the SID-based entries found in the Windows Event Logs as well.

11. Conclusions and further research In terms of pre-examination screening of media, profiling user activity via owner SIDs on a computer system provide potential value to a digital investigator. Profiling concepts might be extended to another system such as UNIX and LINUX.